Firefox Addon Detector identifies installed Firefox add-ons
Firefox Addon Detector is a web service that reveals if Firefox users connecting to the service have specific Firefox add-ons installed.
If you are using the Firefox web browser you may know that Firefox uses local resources such as images or style sheets. One simple example is about:logo which displays the Firefox logo when used as an image tag on a website but only if the website is visited using the Firefox browser.
About:logo is a reference to an image, and since it is a Firefox specific reference, it only works if the browser is used as other browsers such as Chrome or Microsoft Edge don't know about the reference or ship with the image that is linked.
One issue that arises out of this is that the scanning can be abused. First, it enables any website to identify that Firefox is being used with 100% accuracy. Second, it can also be used to identify add-ons of the browser if they reference local files.
Not all Firefox add-ons can be listed on a web page using the hack. Technically speaking, any Firefox add-on that uses the parameter contentaccessible=yes in its chrome.manifest file can.
Firefox Addon Detector
Firefox Addon Detector is a free web service that demonstrates the hack. It checks whether Firefox is the browser used to open the website and whether one or multiple of more than 400 add-ons are installed in the browser.
The author scanned more than 12,000 add-ons and found the flag present in more than 400 of them
including popular extensions such as Adblock. While that is not a lot, considering that it is less than 4% of all add-ons, the hack is not the only one that sites can use to find out if specific add-ons are installed in the browser.
Update: The Adblock detection uses a different mechanic. It detects whether a resource that it tries to fetch is blocked, and it if is, assumes that Adblock is used based on that.
The technique is not new, and first mentions of it date back as early as 2007. Other articles mentioning it can be found here and here. The situation was worse previously and changed only after Mozilla required extension developer to explicitly use the contentaccessible parameter in the manifest file to allow local files to be referenced on remote Internet pages.
What Firefox users can do is check whether their installed extensions use the parameter so that they are at least aware of this.
The information may be used to fingerprint systems, and maybe also in attacks.
It will only detect addons where the developer has explicitly put contentaccessible=yes (or something like that) in the manifest (i.e in the code inside the xpi or addon file) – so it will not detect all your addons. It is also based on a list of addons from over a year ago – so a lot of brand new addons aren’t even tested for, Your sample size of 3 addons probably won’t trigger anything (although Adblock Plus and uBlock [Origin] seems to trigger it and they’re rather popular).
Firefox Add-on Detector states that Firefox is installed (correct) and after, sees only Adblock as installed.
I don’t have any add-on called Adblock but I do have 65 add-ons installed.
The most interesting is the emphasize on add-ons’ detection by websites. Another Web inquisition.
It fails on me too, I’m guessing because of NoScript.
same here, got 21 addons, only detects adblock (which is uBlock but ok)
I had the same result as you, Tom: Firefox + Adblock, and I do not use Adblock. Also worth noting that this only works when scripting is enabled. (Yet another reason in a long list for using NoScript.)
In any case, the very fact that this method can detect the browser is interesting for anyone using some kind of user agent spoofing. If your browser is pretending to be another browser, but is actually detectable, that combination of facts may actually make you MORE fingerprintable than if you had not used the user agent spoofing in the first place.
Sometimes less is more, when it comes to anonymity.
Interesting. I took a look with uBlock Origin just now and I’m seeing what you’re seeing. I guess the tests are failing for “internal reasons”, as you put it.
As Pants mentioned above and as it is mentioned in the article (now that reading Pants brought this to my attention), “It will only detect addons where the developer has explicitly put contentaccessible=yes (or something like that) in the manifest (i.e in the code inside the xpi or addon file) – so it will not detect all your addons. ” explains perhaps why the “Detector” detects nothing… or 0+ (plus what? No idea).
Is there a change log?
I saw this site ages ago – probably visited it and tested it out about a dozen times. I have a FVD Speed Dial tab called “Fingerprint” with 32 sites for testing fingerprinting (and other things like SSL) and sometimes when I’m bored, I go test them all. The last time was probably about a month ago.
It used to detect, from memory, about 4 of my 60+ add-ons (I cannot remember what they were except for Adblock Plus). I tested just before, and it simply returns nothing. I’m not blocking anything I swear (toggled off privoxy, made sure uBO & NoScript didn’t block anything including cloudflare which I never needed before). It did start running the script but then just stops – I see a heap of “transferring data”, “waiting for” … and then it dies.
Anyone else having this problem?
Completely fails with NoScript enabled or UBO in hard mode. After disabling UBO and allowing in NS, it detected firefox but none of the 32 add-ons installed.
I think HackerBlog is only scanning your computers for IP addresses which it is then selling to third party spam centers.
Not long ago, EFF mentioned the site and its questionable activities.
They are welcome to have my VPN’s IP. ^_^
Thanks for the tip, though.
I agree with Jasray.
Regardless of if it isn’t harmful I wouldn’t trust it anyway.
I’m a bit disappointed in you this time Martin as this seems a bit irresponsible of you.
I see no merit in this site and the article could have done without it.
Why would you “think” that? If you view-source the scanner page and/or visit the json dump URL, you’ll see the detection mechanisms, the asset(s) of each contentaccessible=yes vulnerable extension which the scanner looks for, etc.
We can poke to figure out why the scanner (published over a year ago) is no longer working against some current browsers, but the scanner is a real/valid tool. It is _NOT_ scamware or whatever you’re implying in your comment.
Only showing one addon, adblock which is not adblock but uBlock, and I have 23 installed and running, and it has nothing to do with NoScript, I checked and the site calls no scripts other then Google Analytics (which I have blocked)
Martin, there is misrepresentation on that site regarding how Adblock Plus specifically is detected:
The page does NOT detect Adblock Plus (or uBlock Origin, or any blocker) through the `chrome://` trick.
The detection for Adblock Plus is simply done through the usual fetching of a resource which is usually blocked by EasyList (`/adblock.js` here).
It’s wrong for the site to imply Adblock Plus is detected through the `chrome://` trick: it’s misleading.
An issue was opened for uBlock Origin about this: https://github.com/gorhill/uBlock/issues/1035#, someone was misled to think the site detected uBlock Origin through the `chrome://` trick.
For demonstration purpose, the following filter will make the site no longer see that the user is using a blocker:
Thanks, I have updated the article to reflect that.
Actually, I need to correct myself too, I just noticed that it does say “(Detected via non-chrome:// trickery)” in there — so I can’t say the site is “misleading” re. Adblock Plus.
Easy to miss though — more accurately the site should say “Something blocked our `/adblock.js` resource on this page — possibly because you are using a blocker?”, or better just remove that test since the headline contains “through chrome:// URI trickery!”