Firefox Addon Detector identifies installed Firefox add-ons

Martin Brinkmann
Dec 14, 2015
Updated • Jun 25, 2017
Firefox, Firefox add-ons
|
21

Firefox Addon Detector is a web service that reveals if Firefox users connecting to the service have specific Firefox add-ons installed.

If you are using the Firefox web browser you may know that Firefox uses local resources such as images or style sheets. One simple example is about:logo which displays the Firefox logo when used as an image tag on a website but only if the website is visited using the Firefox browser.

About:logo is a reference to an image, and since it is a Firefox specific reference, it only works if the browser is used as other browsers such as Chrome or Microsoft Edge don't know about the reference or ship with the image that is linked.

One issue that arises out of this is that the scanning can be abused. First, it enables any website to identify that Firefox is being used with 100% accuracy. Second, it can also be used to identify add-ons of the browser if they reference local files.

Not all Firefox add-ons can be listed on a web page using the hack. Technically speaking, any Firefox add-on that uses the parameter contentaccessible=yes in its chrome.manifest file can.

Firefox Addon Detector

Firefox Addon Detector is a free web service that demonstrates the hack. It checks whether Firefox is the browser used to open the website and whether one or multiple of more than 400 add-ons are installed in the browser.

firefox addon detector

The author scanned more than 12,000 add-ons and found the flag present in more than 400 of them including popular extensions such as Adblock. While that is not a lot, considering that it is less than 4% of all add-ons, the hack is not the only one that sites can use to find out if specific add-ons are installed in the browser.

Update: The Adblock detection uses a different mechanic. It detects whether a resource that it tries to fetch is blocked, and it if is, assumes that Adblock is used based on that.

The technique is not new, and first mentions of it date back as early as 2007. Other articles mentioning it can be found here and here. The situation was worse previously and changed only after Mozilla required extension developer to explicitly use the contentaccessible parameter in the manifest file to allow local files to be referenced on remote Internet pages.

Extensions like NoScript won't help protect against this as the enumeration does not require JavaScript.

What Firefox users can do is check whether their installed extensions use the parameter so that they are at least aware of this.

The information may be used to fingerprint systems, and maybe also in attacks.

Summary
Firefox Addon Detector identifies installed Firefox add-ons
Article Name
Firefox Addon Detector identifies installed Firefox add-ons
Description
Firefox Addon Detector is a free web service that displays if certain Firefox add-ons are installed in the web browser connecting to the site.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. gorhill said on December 15, 2015 at 3:47 pm
    Reply

    Martin, there is misrepresentation on that site regarding how Adblock Plus specifically is detected:

    The page does NOT detect Adblock Plus (or uBlock Origin, or any blocker) through the `chrome://` trick.

    The detection for Adblock Plus is simply done through the usual fetching of a resource which is usually blocked by EasyList (`/adblock.js` here).

    It’s wrong for the site to imply Adblock Plus is detected through the `chrome://` trick: it’s misleading.

    An issue was opened for uBlock Origin about this: https://github.com/gorhill/uBlock/issues/1035#, someone was misled to think the site detected uBlock Origin through the `chrome://` trick.

    For demonstration purpose, the following filter will make the site no longer see that the user is using a blocker:

    @@||thehackerblog.com/addon_scanner/adblock.js$script,~third-party

    1. gorhill said on December 15, 2015 at 11:24 pm
      Reply

      Actually, I need to correct myself too, I just noticed that it does say “(Detected via non-chrome:// trickery)” in there — so I can’t say the site is “misleading” re. Adblock Plus.

      Easy to miss though — more accurately the site should say “Something blocked our `/adblock.js` resource on this page — possibly because you are using a blocker?”, or better just remove that test since the headline contains “through chrome:// URI trickery!”

    2. Martin Brinkmann said on December 15, 2015 at 3:52 pm
      Reply

      Thanks, I have updated the article to reflect that.

  2. Jonathan said on December 15, 2015 at 4:10 am
    Reply

    Only showing one addon, adblock which is not adblock but uBlock, and I have 23 installed and running, and it has nothing to do with NoScript, I checked and the site calls no scripts other then Google Analytics (which I have blocked)

  3. yeahok said on December 15, 2015 at 1:38 am
    Reply

    Why would you “think” that? If you view-source the scanner page and/or visit the json dump URL, you’ll see the detection mechanisms, the asset(s) of each contentaccessible=yes vulnerable extension which the scanner looks for, etc.

    We can poke to figure out why the scanner (published over a year ago) is no longer working against some current browsers, but the scanner is a real/valid tool. It is _NOT_ scamware or whatever you’re implying in your comment.

  4. jasray said on December 15, 2015 at 12:28 am
    Reply

    I think HackerBlog is only scanning your computers for IP addresses which it is then selling to third party spam centers.

    Not long ago, EFF mentioned the site and its questionable activities.

    1. Mystique said on December 15, 2015 at 1:08 pm
      Reply

      I agree with Jasray.
      Regardless of if it isn’t harmful I wouldn’t trust it anyway.

      I’m a bit disappointed in you this time Martin as this seems a bit irresponsible of you.
      I see no merit in this site and the article could have done without it.

    2. Jason said on December 15, 2015 at 3:36 am
      Reply

      They are welcome to have my VPN’s IP. ^_^

      Thanks for the tip, though.

  5. Dougle said on December 14, 2015 at 11:52 pm
    Reply

    Completely fails with NoScript enabled or UBO in hard mode. After disabling UBO and allowing in NS, it detected firefox but none of the 32 add-ons installed.

  6. Pants said on December 14, 2015 at 11:39 pm
    Reply

    I saw this site ages ago – probably visited it and tested it out about a dozen times. I have a FVD Speed Dial tab called “Fingerprint” with 32 sites for testing fingerprinting (and other things like SSL) and sometimes when I’m bored, I go test them all. The last time was probably about a month ago.

    It used to detect, from memory, about 4 of my 60+ add-ons (I cannot remember what they were except for Adblock Plus). I tested just before, and it simply returns nothing. I’m not blocking anything I swear (toggled off privoxy, made sure uBO & NoScript didn’t block anything including cloudflare which I never needed before). It did start running the script but then just stops – I see a heap of “transferring data”, “waiting for” … and then it dies.

    Anyone else having this problem?

    1. not_black said on December 14, 2015 at 11:08 pm
      Reply

      Is there a change log?

  7. Tom Hawack said on December 14, 2015 at 10:06 pm
    Reply

    Firefox Add-on Detector states that Firefox is installed (correct) and after, sees only Adblock as installed.
    I don’t have any add-on called Adblock but I do have 65 add-ons installed.
    Needs training!

    The most interesting is the emphasize on add-ons’ detection by websites. Another Web inquisition.

    1. Jason said on December 15, 2015 at 12:18 am
      Reply

      I had the same result as you, Tom: Firefox + Adblock, and I do not use Adblock. Also worth noting that this only works when scripting is enabled. (Yet another reason in a long list for using NoScript.)

      In any case, the very fact that this method can detect the browser is interesting for anyone using some kind of user agent spoofing. If your browser is pretending to be another browser, but is actually detectable, that combination of facts may actually make you MORE fingerprintable than if you had not used the user agent spoofing in the first place.

      Sometimes less is more, when it comes to anonymity.

      1. Tom Hawack said on December 15, 2015 at 11:31 am
        Reply

        As Pants mentioned above and as it is mentioned in the article (now that reading Pants brought this to my attention), “It will only detect addons where the developer has explicitly put contentaccessible=yes (or something like that) in the manifest (i.e in the code inside the xpi or addon file) – so it will not detect all your addons. ” explains perhaps why the “Detector” detects nothing… or 0+ (plus what? No idea).

      2. Jason said on December 15, 2015 at 3:34 am
        Reply

        Interesting. I took a look with uBlock Origin just now and I’m seeing what you’re seeing. I guess the tests are failing for “internal reasons”, as you put it.

      3. Tom Hawack said on December 15, 2015 at 1:35 am
        Reply

        The NoScript add-on isn’t installed here, javascript is not disabled, but I do use uBlockO and it shows, on the Firefox Add-on Detector’s page, that only one script from the site itself is blocked, an adblock.js. There are two external sites called and required for display of which uBlockO found nothing to block from within the 60,000+ filters & 60,000+ cosmetic filters I’ve provided. So I have the feeling that Firefox Add-on Detector is not functional more for internal reasons than because of users’ defenses.

    2. Moloch said on December 14, 2015 at 11:04 pm
      Reply

      same here, got 21 addons, only detects adblock (which is uBlock but ok)

    3. not_black said on December 14, 2015 at 10:26 pm
      Reply

      It fails on me too, I’m guessing because of NoScript.

  8. Facta said on December 14, 2015 at 10:02 pm
    Reply

    I tried several times and NOPE; it’s unabled to detect my add-ons, even with JavaScript enabled. I’m using Firefox ESR 38.4.0 with 3 installed add-ons.

    1. Pants said on December 14, 2015 at 11:44 pm
      Reply

      It will only detect addons where the developer has explicitly put contentaccessible=yes (or something like that) in the manifest (i.e in the code inside the xpi or addon file) – so it will not detect all your addons. It is also based on a list of addons from over a year ago – so a lot of brand new addons aren’t even tested for, Your sample size of 3 addons probably won’t trigger anything (although Adblock Plus and uBlock [Origin] seems to trigger it and they’re rather popular).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.