Browsers leak installed extensions to sites

Discussion in 'privacy problems' started by siric, Aug 30, 2017.

  1. siric

    siric Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    11
    Location:
    Home
    "Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.

    The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack."

    https://www.ghacks.net/2017/08/29/browsers-leak-installed-extensions-to-sites/


    In other news: Resource URI Leak Fixed in Firefox Nightly
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    It was mentioned that Firefox webextensions are not effected:
    but this is not the case:

    https://www.ghacks.net/2017/08/30/firefox-webextensions-may-identify-you-on-the-internet/
     
  3. siric

    siric Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    11
    Location:
    Home
    That's correct, Mozilla's WebExtensions are affected too. Mozilla should be able to fix that easily though, for example by randomizing the ID's each time the browser opens.
     
  4. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    I expect Google Chrome takes a different route to resolve this issue unlike Mozilla's way. I use GPOs to whitelist some / blacklist * the rest and I can't see randomization working here. Or perhaps Chrome could manage both techniques to work alongside each other.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I don't get it, wasn't it always possible for websites to see which extensions you are using? I thought that's the way that anti-adblockers were working.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Sure, the effects of some extensions are obvious. But some only do client-side stuff, that servers don't see. Or shouldn't see, anyway.
     
Loading...