"Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions. The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack." https://www.ghacks.net/2017/08/29/browsers-leak-installed-extensions-to-sites/ In other news: Resource URI Leak Fixed in Firefox Nightly
It was mentioned that Firefox webextensions are not effected: but this is not the case: https://www.ghacks.net/2017/08/30/firefox-webextensions-may-identify-you-on-the-internet/
That's correct, Mozilla's WebExtensions are affected too. Mozilla should be able to fix that easily though, for example by randomizing the ID's each time the browser opens.
I expect Google Chrome takes a different route to resolve this issue unlike Mozilla's way. I use GPOs to whitelist some / blacklist * the rest and I can't see randomization working here. Or perhaps Chrome could manage both techniques to work alongside each other.
I don't get it, wasn't it always possible for websites to see which extensions you are using? I thought that's the way that anti-adblockers were working.
Sure, the effects of some extensions are obvious. But some only do client-side stuff, that servers don't see. Or shouldn't see, anyway.
