×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Websites Can Detect What Chrome Extensions You've Installed

timothy posted about 2 years ago | from the incognito-no-more dept.

Chrome 131

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

131 comments

Well, there it is: (4, Funny)

Anonymous Coward | about 2 years ago | (#39387449)

Yet another way that IE is better than Chrome.

Re:Well, there it is: (1)

Centurix (249778) | about 2 years ago | (#39387587)

That IE can't detect what Chome extensions you have installed? I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

Re:Well, there it is: (4, Funny)

WrongSizeGlass (838941) | about 2 years ago | (#39387975)

I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

An extension is still going to be required to get someone pregnant.

Re:Well, there it is: (4, Funny)

Anonymous Coward | about 2 years ago | (#39388467)

Some would suggest that if you're using IE you're already screwed

Re:Well, there it is: (2, Funny)

Anonymous Coward | about 2 years ago | (#39389133)

Some would suggest that if you're using IE you're already screwed

Ahh.. but that type of screwing can't get you pregnant.

Re:Well, there it is: (1)

youn (1516637) | about 2 years ago | (#39389167)

Some would suggest that if you're using IE you're already screwed

Ahh.. but that type of screwing can't get you pregnant.

who knows... imagine a woman is using a period tracking extension and the person is mislead to think she won't get pregnant

Re:Well, there it is: (4, Insightful)

hairyfeet (841228) | about 2 years ago | (#39389611)

Cute but this is a REALLY bad thing as if this gets out websites could use this to detect ABP and block content until you allow them to spam you with ads. Personally and considering how many pieces of malware comes from ads a website has to PROVE they are worthy of showing me ads before I allow them. If you wish to be given an ABP exception you should have to have an appeal on your site where you explain what makes your advertising trustworthy, explain what ads are and are not allowed and if you state a good case i'll be happy to add an exception and i'm sure many others will as well.

Lets face it guys, we really wouldn't need extensions like ABP if the ad companies hadn't turned into giant douchebags. can't infect a system with a plain text ad, but the companies wanted more "attention grabbing" ads so we have what we have now where you pretty much HAVE to use an adblocker just to surf the web with your sanity intact. Try spending an hour surfing the web with a browser with ZERO adblocking like QTWeb portable and see just how bad its gotten, its just amazing how much shit they throw up on the screen nowadays. We've ended up in a war with the advertisers who want to snatch your sound and wave their dicks in your face and guys like in TFA showing sites how to make sure you get Gostse'd by the advertisers is SO not good.

Re:Well, there it is: (0)

p0p0 (1841106) | about 2 years ago | (#39388959)

I don't know about you, but my default install is plenty enough to get someone pregnant.
Whether the user experience is as satisfying is another story.

Re:Well, there it is: (1)

beaudjangles (2564381) | about 2 years ago | (#39387641)

Panopticlick, I'm sure we're all familiar with this. In summary, sometimes running IE8 or 9 or whatever is the most popular, is the best way to not draw attention to yourself and one of the best ways to blend in. Obviously the full picture is a more complicated than that but it's interesting.

Only a partial list (4, Interesting)

ThunderBird89 (1293256) | about 2 years ago | (#39387465)

The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

Re:Only a partial list (4, Informative)

Intropy (2009018) | about 2 years ago | (#39387491)

It got one of four for me. And the one it got was adblock which would be very easy to detect.

Re:Only a partial list (3)

number11 (129686) | about 2 years ago | (#39389753)

On my Comodo Dragon (Chromium), detected ABP, Ghostory, and EditThisCookie. Missed 5 others. I'd say as "proof of concept" it works, presumably the site doesn't test for every conceivable extension.

Re:Only a partial list (5, Informative)

Anonymous Coward | about 2 years ago | (#39387517)

The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.

Re:Only a partial list (5, Informative)

Giorgio Maone (913745) | about 2 years ago | (#39387581)

Two tiny corrections:
  1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions [google.com] for GUIDs of all the installable extensions, and he can detect your full extensions list.
  2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.

Re:Only a partial list (5, Informative)

Anonymous Coward | about 2 years ago | (#39387709)

All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.

Re:Only a partial list (5, Informative)

Anonymous Coward | about 2 years ago | (#39387837)

He will find all your installed extensions... that use manifest_version 1.

"Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."

"Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."

https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources

Re:Only a partial list (1)

Anonymous Coward | about 2 years ago | (#39388055)

That would be all of them for a while yet, as Chrome 18 is still in beta, and

Setting manifest_version 2 in Chrome 17 or lower is not recommended. If your extension needs to work in older versions of Chrome, stick with version 1 for the moment. We'll give you ample warning before version 1 stops working.

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39388621)

my version is 19.0.1068.1

so he has an "exploit" of a "vulnerability" that was known and has already been addressed, but is not yet standard. scary. yawn.....

Re:Only a partial list (4, Informative)

cheater512 (783349) | about 2 years ago | (#39387563)

Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
Your extensions simply aren't on the list.

Re:Only a partial list (2, Insightful)

wvmarle (1070040) | about 2 years ago | (#39387741)

AC before you explained how there is actually a dump-all function. The proof-of-concept just doesn't check for all existing plug-ins. Besides, the detection of even a few plug-ins other than via their external behaviour (e.g. not loading ads like ABP does) is bad enough.

Re:Only a partial list (1)

Anonymous Coward | about 2 years ago | (#39387589)

It has a list of extensions to check for. The exploit lets you check for the presence of any extension if you know the extension ID.
That's slightly less convenient than just getting a list, but it's not that hard to get a nearly complete list of extension IDs.
I'd say this exploit is about as exploitable as an extension listing exploit is going to get.

Re:Only a partial list (5, Insightful)

Anonymous Coward | about 2 years ago | (#39387637)

The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.

Re:Only a partial list (1)

pRock85 (2011582) | about 2 years ago | (#39387647)

I have nothing to hide with respect to my online profile. That is not the point. This county was founded on a private citizen being able to operate in a not hurtful way without being interfered with by the government.

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39387795)

I have nothing to hide with respect to my online profile. That is not the point. This county was founded on a private citizen being able to operate in a not hurtful way without being interfered with by the government.

...and then, 9/11 "happened"...

Then it was changed to a country in which there is no such concept as a private citizen of any kind...

Re:Only a partial list (4, Funny)

FireFury03 (653718) | about 2 years ago | (#39387957)

The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

That's because you only saw the first part of the exploit.

The full exploit procedure is this:
1. Direct someone at a website that lists a few of their installed extensions.
2. Scan slashdot to find that person moaning about how crap the exploit is and look at the "missed" extensions they list in their comment.
3. Combine the results of (1) and (2) to acquire a complete list of installed extensions for that person.

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39388497)

I am not sure how this was supposed to work. I got a page with a blank box on it. I am just guessing here that the box was supposed to list some information in it. Even when I enabled javascript it didn't show anything. So it didn't detect the No-Script, Ad Block Plus, Better Privacy, and Optimize Google extentions I am running, assuming that is what it was what it was supposed to say in the box.

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39388781)

For a start, it is supposed to work for Chrome and not Firefox.

Re:Only a partial list (1)

SteveFoerster (136027) | about 2 years ago | (#39388807)

Perhaps this was a social engineering trick to get people like you all to publicly list all your extensions. ;-)

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39388831)

Zero for me. The only extension installed is part of the Avast antivirus.

But what is interesting is if you look at the console log. 900+ errors. It looks like this exploit does nothing more than "bruteforce" the browser into revealing what it has. A carefully crafted version of this could explicitly look for adblock or other shitty plugins like it and make it look like the site doesn't work with the extensions enabled.

Note this isn't the only way to break adblock on Chrome, you can have a script delete the css adblock adds, or lock-up processing if an ad script doesn't load, and there are ways of breaking other extensions on Chrome because chrome doesn't sandbox poorly designed extensions.

Re:Only a partial list (1)

SadButTrue (848439) | about 2 years ago | (#39388867)

I got this:

[*] Detected addon: AdBlock (gighmmpiobklfepjocnamgkkbiglidom)
[*] Detected addon: TinEye Reverse Image Search (haebnnbpedcbhciplfhjjkbafijpncjl)
[*] Detected addon: Scientific Calculator (npoipmeppdioagbkigdlnpmjphnolaog)
[*] Detected addon: Personal Blocklist (by Google) (nolijncfnkgaikbjbdaogikpmpbdcdef)
[*] Detected addon: YoWindow Weather (fanogbnclpilemkifpjeglokomebpnef)

It missed Backspace As Back for linux, Kill Flash and Keep my Opt-Outs. Oddly, I don't feel violated. I had always, incorrectly it seems, assumed that a web app could request a list of available plugins.

Re:Only a partial list (1)

Tacvek (948259) | about 2 years ago | (#39389269)

A website can request a list a available NPAPI (i.e. Netscape-style) plugins, however they cannot directly request other browser add-ons like active-x controls, or extensions.

As an aside:
Not being able to enumerate Active-x controls is a very good thing, since that would imply either listing every COM object installed on the system, (which effectively includes a list of all major applications installed on your system), or it would require that IE attempt to load each of them that implements the IObjectSafety interface, since those objects need to be asked if they are safe for initialization and scripting. The latter option would be terribly slow.

Re:Only a partial list (0)

Anonymous Coward | about 2 years ago | (#39389071)

It only detects a limited subset of extensions. You have to manually select ones to scan for.

This looks like a XSS fail for Chrome... the "exploit" attempts to load the manifest.json file from each extension via a HTML script tag. Chrome should be blocking normal webpages from doing this due to protocol mis-match.

Re:Only a partial list (1)

andy16666 (1592393) | about 2 years ago | (#39389797)

It got one out of five for me, and that one was google translate, (which also would be easy to detect.)

Not comprehensive (0)

Anonymous Coward | about 2 years ago | (#39387489)

Only got about half mine. I speculate that it only works for the ones you've installed straight from the store; the other half of mine are modded in various ways and loaded unpacked. Not that this is a great help for non-hackers, but worth noting.

Didn't get any of mine (-1)

Anonymous Coward | about 2 years ago | (#39387527)

But I use Opera

Re:Didn't get any of mine (1)

KorrodeAU (1546509) | about 2 years ago | (#39387679)

...and I use Chromium, but I don't have any extensions :> (yes yes i realise that's beside the point ;p)

Websites can discriminate against Adblock users (5, Interesting)

satuon (1822492) | about 2 years ago | (#39387533)

This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.

Re:Websites can discriminate against Adblock users (5, Interesting)

wmbetts (1306001) | about 2 years ago | (#39387585)

Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

Re:Websites can discriminate against Adblock users (1)

Omnifarious (11933) | about 2 years ago | (#39387671)

The grandparent stated a fact. He or she did not say it was a problem, just that it was true.

Re:Websites can discriminate against Adblock users (4, Insightful)

Anonymous Coward | about 2 years ago | (#39387773)

Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

And its your right to make it hard to see whether you're blocking and it's their right to make their ads hard to block. So if you want to see the content without the ads then it's a problem for you if you can't, just as if they don't want you to see the ads without the content then it's a problem for them if you can.

The fact that someone has a right to do something is pretty much completely unrelated to whether their doing it presents a problem. It's my right to buy the last roll of toilet paper in the shop but if you've run out then that can be a problem for you if I do.

Re:Websites can discriminate against Adblock users (0)

Anonymous Coward | about 2 years ago | (#39387783)

The funny thing about 90% of those adblock-hating sites, is the content they claim to have isn't any better than the stuff you can find on putlocker.

Re:Websites can discriminate against Adblock users (4, Funny)

FudRucker (866063) | about 2 years ago | (#39388123)

I block adds by placing "sticky notes" in strategic locations on my monitor, detect that!

Re:Websites can discriminate against Adblock users (1)

Anonymous Coward | about 2 years ago | (#39387627)

And you can't get around it by using Incognito mode. Incognito mode automatically disables every Chrome extension and is how I usually check to see if an extension is misbehaving on a specific site. This Chrome extension revealing method isn't affected by Incognito mode and reveals extensions even when they're all disabled.

You have to go into the Chrome Extensions manager and manually disable each extension if you don't want the website to detect it.

Re:Websites can discriminate against Adblock users (0)

Anonymous Coward | about 2 years ago | (#39388131)

Google is already doing this.. if u use ad-block in GMAIL... u can't chat (send part.. receive works)

Re:Websites can discriminate against Adblock users (1)

negge (1392513) | about 2 years ago | (#39388143)

I have seen this behavior once on a blog. After loading the page it redirected to another page (aka. not just a pop-over) telling me I need to disable Adblock Plus if I want to read the blog post. Unfortunately I can't seem to find it at the moment.

Re:Websites can discriminate against Adblock users (0)

Anonymous Coward | about 2 years ago | (#39388573)

https://adscendmedia.com/gateway_adblock.php

Re:Websites can discriminate against Adblock users (1)

msobkow (48369) | about 2 years ago | (#39388537)

Clue: They've been doing this without this "exploit."

Personally I don't see why this would be an issue. Doesn't it make sense for a web server to detect the client's plugins, addons, configurations, and to adapt the presentation HTML and XML accordingly?

i.e. How is this any different from detecting Flash? Or Java? Or whether cookies are enabled?

Where is the RISK from knowing what extensions you have installed if they're properly configured?

This reminds me of the panic people have when they first go to a test website that reports on the browser, browser version, OS, IP number, etc. for a client -- all information that is necessary for the web client/browser to function at all. Only the truly security ignorant would panic over this.

Re:Websites can discriminate against Adblock users (0)

Anonymous Coward | about 2 years ago | (#39388931)

It is a privacy risk. Your individual choice of extensions is another data point that can be used to fingerprint your browser.

Another risk could come from an extension introducing a security hole (shouldn't happen, but if the browser doesn't sandbox them properly...) leading to a greater possibilty of being compromised by a malicious website.

Browser (+version) and OS, shouldn't be necessary if the website and browser both follow standards. Although in the real world often browsers have flaw in their implementations which websites need to work around, which ends up making this information at least useful if not necessary

If an extension is properly configured, then the website shouldn't need to know about it, it is then the user's job to deal with any compatibility problems the extension might cause, but for Flash, Java, cookies, etc. the presence of which might be necessary to determine if certain content can be served to the user.

Personally, I've long given up worrying about being tracked; I don't like it, so I will do what I can to block it, but at the end of the day I know my IP is pretty much unchanging when I'm at home, and maybe my browser can be fingerprinted, and there isn't a whole lot I can do about that, so it is just something I have to live with if I am to use the web, (well I could do more, but it is too much of a pain, and therefore the costs (in time and effort if nothing else) are too high, unless I really needed anonymity.)

Re:Websites can discriminate against Adblock users (1)

alexgieg (948359) | about 2 years ago | (#39389361)

This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.

True enough, as I remember finding one site, once, years ago, that did this. In fact, it's actually easy to do in JavaScript: search the page for the relevant elements and do something upon not finding them. But it seems the absolute majority of sites out there just don't think it's worth the effort. Adblocking users are such a minority that the cost of implementing anti-adblocking measures, and keeping them updated in the ensuing arms race, is more than the expected return on investment, as adblockers are very poor adclickers anyway. Not bothering is both easier and more profitable.

Any similarity with the argument that piracy is not worth fighting against isn't mere coincidence.

This is what happens when you trust Google. (-1)

Anonymous Coward | about 2 years ago | (#39387537)

This kind of thing is EXACTLY why I don't like to use google products.

They base their income on targeted ads. Any wonder these kinds of things could happen?

Re:This is what happens when you trust Google. (1)

cheater512 (783349) | about 2 years ago | (#39387567)

Erm...how is that related in the slightest?

If they wanted this to happen, it would have been made an awful lot easier to do.

Hey! It's The Apple Troll/Shill bonch! (-1)

Anonymous Coward | about 2 years ago | (#39387617)

What's the matter loser? Too scared to post in one of your 1 million shill accounts?

Re:This is what happens when you trust Google. (1)

Goaway (82658) | about 2 years ago | (#39388557)

And that's why they already updated the plugin system to avoid this exploit, then, is it?

The hack doesn't work for me. (2)

Kickasso (210195) | about 2 years ago | (#39387545)

Doesn't list anything, even if I enable Javascript for its site in NotScripts [google.com] (yet another reason to install this little lifesaver).

Aehm (Re:The hack doesn't work for me.) (2)

Giorgio Maone (913745) | about 2 years ago | (#39387787)

Ouch: http://noscript.net/misc/notscripts-detector.html [noscript.net]

Disclaimer: the original (and only) NoScript can be detected as well, but at least you couldn't be notified by a JavaScript alert() box on a page where JavaScript isn't supposed to run ;)

Re:Aehm (Re:The hack doesn't work for me.) (1)

Kickasso (210195) | about 2 years ago | (#39388873)

Oh well. Back to the built-in JS blocker, then. Or rather use both built-in blocker and NotScript together.

Grammar fail !! (-1)

Anonymous Coward | about 2 years ago | (#39387607)

"ease" not "easiness" !!! *cringe*

Retarded (0)

topgun966 (1377185) | about 2 years ago | (#39387609)

It only picked up 2 out of my 12 ext installed, nothing I would say that would be remotely embarrassing or uncommon. Lets just log this under meh...

This is amazing (4, Funny)

93 Escort Wagon (326346) | about 2 years ago | (#39387621)

So let me get this straight - I can click on that link right now in Firefox and it's going to tell me what Chrome extensions I have installed? Unbelievable!

Re:This is amazing (0)

Anonymous Coward | about 2 years ago | (#39387631)

sadly, your point is going to go over the heads of most ...which is what google is counting on, i guess.

Re:This is amazing (2)

wvmarle (1070040) | about 2 years ago | (#39387751)

Indeed, I just tried the script in Firefox and it worked 100% correct!

It detected no Chrome extensions, which is correct as I don't even have Chrome installed, let alone any of its extensions.

Re:This is amazing (1, Insightful)

bytesex (112972) | about 2 years ago | (#39388389)

I tried Chrome the other day for the first time, and I was not impressed. All those things that I'd come to expect from using Firefox in Linux - flash not (immediately) working, websites gratuitously opening new windows in the background, and not a single way to make sure you have a menu or even a 'quit' button - I felt quite unsafe and not-in-control. Every now and then I come into contact with a computing experience the way the rest of the world expects it, and I find it most unpleasant.

Re:This is amazing (1)

The MAZZTer (911996) | about 2 years ago | (#39389193)

Sorry you don't like Chrome... I think you'll find the popup problem is probably isolated to a handful of shady sites (I have no such problems myself) and closing all windows effectively quits Chrome anyway. Not sure what Flash is about, it worked out of the box for me.

Chrome has a very good sandbox model though, and they do a ton of tricks to try and keep it running fast. There's also a built in JS-whitelist functionality I call "NoScript Lite" which works pretty well. Plus you have nice sandboxed extensions, unlike Firefox where extensions get free run of the browser or even the system. You might want to keep trying Chrome for a bit, it may still grow on you. :) I jumped to Chrome 0.1 from a very slow Firefox 3 and never looked back, even with the massive lack of features at the time.

Re:This is amazing (-1)

Anonymous Coward | about 2 years ago | (#39387767)

[Citation needed]
When I open this page in Firefox, it finds 0 extensions (as opposed to 1 extension found when opened in Chrome).

fp MARE (-1)

Anonymous Coward | about 2 years ago | (#39387653)

our ability to EFNet, and apply their parting out how t0 make the Butts are exposed

Re:fp MARE (0)

Anonymous Coward | about 2 years ago | (#39387799)

Excuse me! WTF is this?

captcha: tolerate

How am I supposed to know what to tolerate if I can't understand it?

Take Google's good and do away with their bad. (1)

KorrodeAU (1546509) | about 2 years ago | (#39387697)

Guess someone should really post this on the SRWare Iron's forums/mailing list (and other privacy-centered Chromium based browers) so they can disable the functionality in their builds...

Re:Take Google's good and do away with their bad. (0)

Anonymous Coward | about 2 years ago | (#39388113)

There are people still using SRWare Iron?
And trusting it on top of that?

The end is near, folks.

No Javascript -- no problem (0)

Anonymous Coward | about 2 years ago | (#39387703)

The only problem for me are those "Web Experience" folks who think they have to make web pages more entertaining.

And don't get me started on that useless enterprise-y software with heavy-handed Javascript dependency (Jira, I'm looking very especially at you).

Re:No Javascript -- no problem (3, Interesting)

aix tom (902140) | about 2 years ago | (#39387895)

And don't get me started on that useless enterprise-y software which thinks it needs to be "browser based".

For example: We now run multiple client based software packages for different tasks in our company. They can be configured to interact any way we choose. (for example a document from content management can be opened INSIDE the point of sale software, so that people at the cash register can view documents pertaining to the customer currently in transaction, so that they can for example pull up the letter the customer claimed to have sent last week to your central office.

When about a decade ago "web based" solution started to happen at first we thought "oh, cool, stuff like that will get easier because sooner or later all calls like that can be done via HTTP and URLs. In our own client applications we now use HTTP a lot to request data from other systems in the background. Protocol wise it's a really nice thing.

But putting the *FRONTEND* of an enterprise application into the browser is pretty messed up, since most of the time you need a lot of integration between different system on the user side, and that is pretty much forbidden by the browser security model.

What I think is *really* needed for HTML5 Enterprise "GUIs" to work is a separate HTML/CSS/JavaScript display application for "trusted apps" that can interact freely with everything and a "web browser" for the public Internet. Or some way to tell a browser that THIS signed "application" is allowed to talk to THAT signed "application" even with cross-site scripting.

Rubbish (0)

Chrisq (894406) | about 2 years ago | (#39387731)

Detected two of my 8 extensions and listed one that I don't have installed.

Re:Rubbish (0)

Anonymous Coward | about 2 years ago | (#39387893)

It gets only the extensions it is looking for because it must search them by id. Are you sure you don't have that other extension installed?

Isn't this expected behavior? (1)

Squirmy McPhee (856939) | about 2 years ago | (#39387733)

This "exploit" looks more like begging the question to me. As far as I can remember, every single Chrome extension I have installed warned me that it might share data with the websites I visit before I installed it. It stands to reason that if an extension can share data with a website, that website can detect the extension, does it not?

I'm not saying that it's ideal behavior, only that it seems to me that Chrome users have already been warned about it by Google itself. If you don't like the behavior, you have quite a few options: Remove the extension, disable it, go incognito when you don't want your extensions detected, or simply use another browser come immediately to mind.

Re:Isn't this expected behavior? (3, Interesting)

Squirmy McPhee (856939) | about 2 years ago | (#39387763)

If you don't like the behavior, you have quite a few options: Remove the extension, disable it, go incognito when you don't want your extensions detected, or simply use another browser

Hmm ... it seems I may have been a little too quick. When I visit the site running the extension-detection script in icognito mode, it is still able to detect my extensions. Now I wonder if disabling is even effective.

That said, I don't really think there's anything anybody can learn about me from the extensions I have installed -- at least, not anything that I wouldn't tell a total stranger. Since there are few extensions that don't interact with at least one website, I think that's a good policy to follow even if you're a Firefox user.

Re:Isn't this expected behavior? (0)

Anonymous Coward | about 2 years ago | (#39387959)

They can fingerprint your browser defying the whole concept of incognito browsing.

Re:Isn't this expected behavior? (0)

Anonymous Coward | about 2 years ago | (#39387961)

> That said, I don't really think there's anything anybody can learn about me from the extensions I have installed

Think again. It's a few unique bits of indentifying information. If you have one or two "less popular" extensions enabled, it's not unlike another SuperCookie.

Re:Isn't this expected behavior? (1)

wisnoskij (1206448) | about 2 years ago | (#39388343)

Their has actually been some research in this area. your extensions can often create a unique identifier allowing sites to track you.

Re:Isn't this expected behavior? (2)

truedfx (802492) | about 2 years ago | (#39387853)

No, that's not expected behaviour. Extensions can share information with websites, but if they don't, websites should not be able to get anything.

This is only just NOW being figured out? (0)

Anonymous Coward | about 2 years ago | (#39387815)

As far back as I can remember, any extension that interacts with the page does so by editing the actual page. Sometimes in specific ways that are unique to certain extensions.

I figured this out, funnily enough, by using *{display:block} on a page that absolutely destroyed it, and for some reason displayed source code of the page to me... (don't ask me why I done that)
And this happens across 2 separate CSS insertion scripts, and versions as far back as last spring I think, webkit just buckles with that statement for some reason.
And during this, I noticed some script and CSS in the page that came from certain extensions.

Here is an example on the No FTL Neutrinos article. Why webkit, whyyy [imgur.com]
Admittedly it could a Chrome(ium) error. I'm never installing Safari ever again to find out, holy painful browser, I'd sooner use IE again.

Europe could use these devises to censor (-1)

Anonymous Coward | about 2 years ago | (#39387879)

It would appear that Belgium was cunningly and carefully chosen by the West to function as a Secret Shadow United Nations; or to describe it more precisely a Shadowy Disunited Nations, with the main centre of its secret scheming and private dealings being done in Brussels for practical reasons.

This is because Britain and America need to appear to be above suspicion, and we know that Herman Van Rompuy is the first President of the European Council after the Lisbon Treaty became the European Union’s current Constitution.

I cannot proof of what is happening, but I can state what I would advise, and what my human weaknesses are, what tactics I would use if I were one of the more senior People who are the Real and Shadow Government of the West.

I realise that others in such a group would have other advice, human weaknesses, and tactics, and it could be that if I were to hear of their advice and their tactics, then I could easily agree that their advice and tactics could be superior to mine, but my human weaknesses would remain my own, even as their human weaknesses would remain their own.

There seems that a lot of these perpetrators mentioned in this Article are described as suffering mental problems, and I would build a Mental Institution with a Luxurious underground Palace for my People if they were ever captured.

People would volunteer to be Terrorists for me, after they have seen the underground Palace, where they are free and can satisfy their desires.

The Staff would all be Shadow CIA, and there could easily be Chauffeur driven weekend passes or longer in cars, trucks, or vans with dark windows to conceal these Puppet Criminals.

These People would have a Person that looks like them to replace them, when needed, and even if any of them were alive, I would falsely say that they had died, and I would move them to a different locality or Country.

The Article mentioned Paedophilia; and the human weaknesses of those People in that group would be accommodated, as long as it was kept secret.

I want to say that I would not commit Paedophilia, unless I loved Money and Power that much, and it was necessary to be Filmed in Acts of Bestiality and Paedophilia to ensure Loyalty to that group.

We know that a Person would be unlikely to go to jail if a Video of that Person was on the Internet, but if a Video of that Person in Acts of Paedophilia were on the Internet, then they would go to jail.

We have seen with the Stratfor Scandal would use, bribes, sex, drugs, alcohol, secret bank accounts, and blackmail etc; and could easily include threats to achieve the goals of their Clients who wanted to manipulate matters of interest to them in order to make Money, and they would pay Stratfor for their services.

There could be situations where a Person was deliberately led in temptation, and others were Secretly Filming him in Acts of Paedophilia, but not to go to the Police with it, but to Puppetize that Person for the cause of the Western Elites, or they will go to jail.

Obviously, a compliant Puppet Main Stream Media is vital for this, and this is why the Elites fear and detest the Internet, and they detest Whistle Blowers like Bradley Manning, and Real Journalists like Julian Assange, and the Western Judges know these things.

Even though a Person may claim to be a Christian, it could be that he has become a Secret Muslim, because of having a Secret Harem, and even if a Person claims to be Right Wing, he could be Left Wing, and possibly Breivik was attempting a reverse of what others are doing.

It is interesting that Breivik had a manifesto, and the purpose of it was to find self incriminating evidence, not only on Breivik to show that he was mentally unstable at the trial, but importantly to Slander others and somehow show that they were working toward the same purpose, thus reinforcing the lie that America and its Media has spread.

For those who have read Articles on this Website, and other Websites where there is proper Journalism, the only question as far as America and its Puppets are concern; is not what are there lies, rather it is, when have they ever told the truth?

This is true of the Slanders against Slobodan Milosevic, and while he was not pure, he was certainly far purer than any American President has been since the end of the Second World War.

We know that many things do not happen by chance, and that Conspiracies are planned, and it would be advisable not to overlook events within days either way of a planned Conspiracy.

Breivik’s manifesto titled 2083 a European Declaration of Independence, made mention of Slobodan Milosevic, and it falsely claimed that Milosevic was waging a War against Muslims, whereas he was waging a War against the terrorist Albanians who had wanted an Ethnically pure Greater Albania ever since their 1878 League of Prizren Public Declaration, and President Bill Clinton needed a diversion from the Monika Lewinsky Scandal.

We know that on 22 July 2011, that Breivik is alleged to done what he is alleged to have done, and as far as I am concerned his manifesto was designed Slander the Serbs, and help Kosovo become Independent, and Breivik manifesto has the words Independence declaration, even as the Kosovo Albanians has unilaterally declared independence on 17 February 2008, but Kosovo remains part of Serbia.

On the following day Amy Winehouse was found dead in a London, and a month before that in the apparently under the influence pop star was met with boos and jeers in Belgrade.

The rest of her European tour was subsequently cancelled, making much of Europe’s youth blame those Serbs for not being able to see her concerts, rather than the drinking or drug habits of that pop star, and the Serbs got a mention in the World Media again.

It could have been those who were in favour of Kosovo’s Independence that may have been responsible for the drinking, or the drugs, or her death, and the British have certain Doctors who will lie as to the causes because they are told to.

On 25 of July, a team of heavily armed Albanian Special Police Secretly enter into the North of Kosovo and try to take over the Administrative line between North Kosovo, and the rest of Serbia, but they leave after claiming that one of their Police Officers is killed by Serbs.

The west and the Albanian separatists may just have pretended that an Albanian Police Officer was killed, and we should not be surprised if they were ordered to provoke a situation where someone has to defend themselves, and then claim victim status, because those are their methods.

We all know that it has been said that horse racing is the sport of kings, and horses were important in the old days to establish Empires, and today, I think horses are important to retain Empires.

If I were a king, then I would only marry a woman who would love me and love my male horses, and I do not want to go into details, but that is my main human weakness, along with other things.

I think that Empires were established and retained by only having like minded vassal kings in the Puppet Countries, because this would be the way to ensure Puppetship of the vassal Countries, but the vassal Countries would never know my habits, but I could always trust them, or blackmail them to be my Puppets.

There are People who that King Henry the 8th had six wives, because he was looking for the type of woman.

We should realise that those who want to work for the Shadow rulers of the West, will have to be their Puppets to receive their Secret Bank Accounts.

Re:Europe could use these devises to censor (0)

Anonymous Coward | about 2 years ago | (#39388417)

what the...I don't even...

This bug is a feature (0)

Anonymous Coward | about 2 years ago | (#39387985)

Google Chrome extensions documentation - Manifest files - web_accessible_resources [google.com] (linked from TFA):

web_accessible_resources
An array of strings specifying the paths (relative to the package root) of packaged resources that are expected to be usable in the context of a web page.
[...]
Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property.
Resources inside of packages using manifest_version 1 are available by default, but if you do set this property, then it will be treated as a complete list of all whitelisted resources. Resources not listed will be blocked.

The real bug is Google leaving spying backdoors open. Note that by "you" they mean extension developers, not browser users. I don't see why a web site should need access to a browser extension at all. If an extension wants to modify a page, it can just do that without communicating with the website. If an extension wants to communicate with a website, it can inject a script into the page that sends an XMLHttpRequest. Of course DOM changes can also be detected, but in most cases that doesn't allow direct inference of _what_ changed the DOM.

Btw "pregnancy or religion" as the most private things in life? That's new. Usually the safe-for-work example is "you have a terrible but shameful disease and need to access online information about it".

Hey everybody... (-1)

Anonymous Coward | about 2 years ago | (#39388051)

How many Polish security experts does it take to outsmart everyone and prove (once again) that the whole "Poles are stupid" thing is bullshit?

Just one.

Looking behind the curtain (1)

codeToDiscovery (2597559) | about 2 years ago | (#39388111)

A lot of extensions request access to your browser's X, Y, & Z... and sometimes your entire file system (???) But since we (the user/s) wants to use the provided functionality in the extension, we all click "OK". Just from reading those notifications, it is still unclear WHY the extension needs those access permissions, or WHAT the extension might be doing with said access. How can we know/understand more about this process? Where is the source path of the extension & should we just be looking at the source code (assuming dev experience)?

"makes AN worrisome" (-1)

Anonymous Coward | about 2 years ago | (#39388191)

Idiots. Why do morons (or should I say "morans", like so many AMERICANS write) keep putting "an" instead of "a"? It isn't rocket science.

Old News (1)

wisnoskij (1206448) | about 2 years ago | (#39388331)

/. has at least one article, last year I think, that mentioned this fact already.

This is not a secret and a moderately well known fact.

Chrome Google vs. Privacy (2, Insightful)

markdavis (642305) | about 2 years ago | (#39388451)

People who use typically choose Chrome (the Google Browser) don't strike me as people who are all THAT concerned about their privacy. It might be a nice browser, but it is closed-source, and heavy into the "Google way" (which to me means to share all your information with Google).

At least with Chromium, people can see what is going on inside...

Re:Chrome Google vs. Privacy (-1)

Anonymous Coward | about 2 years ago | (#39388591)

They are the new AOL or Myspace users. No one sane will run a browser made by an ad broker, Doubleclick's browser - an ad broker which lobbies against your privacy, and where -you- are the product. Except the brainwashed who drank the ad broker's kool-aid.

Chromium, detected 1 of 1 extensions (0)

Anonymous Coward | about 2 years ago | (#39388723)

Well, yeah it knows I run vimium. I'd like an extension that could hide the address bar or at least the tab bar. Using tiling here... sigh.

I'm willing to use other browsers though, at this point I prefer webkit, but I must have vim keys.

I use privoxy to handle all the ads and crap.

I've tried out uzbl, conkeror, but hmm... Suggestions (preferably in the debian repos?) Also something that supports whitelists, I'm kind of annoyed that I need javascript on every site to use vimium...

It Doesn't See My Extensions (1)

Zamphatta (1760346) | about 2 years ago | (#39389307)

I think somebody jumped the gun here, 'cause I'm using Chrome 17.0.963.79 on Ubuntu 11.10, and that "proof of concept" link didn't list any of my extensions.

All Browsers Allow Access (0)

Anonymous Coward | about 2 years ago | (#39389463)

You can do this with Firefox as well. Internet Explorer does not enumerate plugins but you can do the same thing, and even turn other PLUGINS off. For IE, you have to install a plugin, to get access to the plugin list. I have done it.

One more reason to use NotScript :) (0)

Anonymous Coward | about 2 years ago | (#39389593)

Good find on the part of the researcher...one more reason to use NotScript :). I went to the Proof of Concept and it didn't show anything. I looked at NotScript to see the blocked scripts and there was a long list of names that I would never allow on any Web site (I never allow anything if I don't know what it is). At the bottom it warned me that this was probably a malicious site (it apparently made that determination based on the high number of scripts it was trying to load).

Note that I have no affiliation with NotScript. I just highly recommend it for Chrome users, or NoScript if you're using Firefox.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...