Browsers leak installed extensions to sites - gHacks Tech News

Browsers leak installed extensions to sites

Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.

The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack.

Chromium-based browsers like Google Chrome, Yandex and Opera, and Firefox-based browsers like Firefox or Pale Moon, and Microsoft Edge, are affected.

All browsers protect extension data from being accessed directly by websites visited in the web browser. The past has shown however that sites may use various techniques to scan for installed add-ons.

We talked about this in Are you identifiable by extensions, logins and your browser, and Fix Firefox resource URI leak.

When extensions were first introduced, websites were not blocked from accessing local resources. Mozilla and Google introduced controls to block sites from accessing these resources. This is handled by access control settings that declare all resources extensions use as private by default in Firefox, Chromium-based browsers and Microsoft Edge.

Safari uses a different protection mechanism as it randomizes resource URIs instead.

browser-extension enumeration attack

The security researchers discovered a way to enumerate installed browser extensions in the newest versions of web browsers. The "timing side-channel attack" may be used to enumerate the installed browser extensions by monitoring the browser's response to resource access.

When a site requests access to a resource of an extension in the browser, the browser needs to run two checks to see if the extension exists, and if the resource that the site wants to access is publicly available.

By monitoring the response, attackers, may identify the reason behind a request denial. The site measures the time it takes to return a request for a fake extension with fake resource and the time it takes to request a real extension with a fake path.

By comparing the time, installed extensions are revealed. According to the researchers, their approach can be used to determine with 100% accuracy if extensions are installed in a modern web browser.

By telling apart the two centralized checks that are part of the extension settings validation (either because of the side-channel or because of the different exception behaviors), it is possible to completely enumerate all the installed extensions. It is sufficient for an attacker to simply probe in a loop all existing extensions to precisely enumerate the ones installed in the system.

Closing Words

The attack relies on extension IDs and some code. The researchers grabbed about 10000 Chrome and Firefox extension IDs each and uses the information in test runs.

"Real" attackers would have to do the same, and could use the information for browser fingerprinting or targeted attacks against specific browser extensions.

Since these attacks rely on scripts, any script blocker protects against it. (via Born / Bleeping Computer)

Summary
Browsers leak installed extensions to sites
Article Name
Browsers leak installed extensions to sites
Description
Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Anonymous said on August 29, 2017 at 11:10 am
    Reply

    This 100% requires JavaScript and should be mitigated by Firefox privacy protections, in particular those enabled by privacy.resistFingerprinting, which among other things reduce timing precision.

    I wonder how reliable this attack is then.

    1. Anonymous said on August 29, 2017 at 11:41 pm
      Reply

      From a Firefox engineer after reading this article:

      ” I don’t think WebExtensions in Firefox are vulnerable to this attack, because they don’t have any predictable ID by default that could be enumerated. So after Firefox 57 this shouldn’t be an issue anymore. ”

      Source: https://www.reddit.com/r/firefox/comments/6wud0j/benign_resource_uri_leak_fixed_in_nightly/dmau95k/

  2. b said on August 29, 2017 at 11:36 am
    Reply

    @Martin Brinkmann
    “Since these attacks rely on scripts, any script blocker protects against it.”
    so if I use uBlock Origin and block thirdparty scripts, I’m safe?

    1. Martin Brinkmann said on August 29, 2017 at 3:42 pm
      Reply

      No, since first-party scripts may run on the site. You need to block any script from running.

  3. Paul(us) said on August 29, 2017 at 11:55 am
    Reply

    Martin, The question that I have after reading your article is which script blocker with google and firefox are wise to use.

    First is Google Chrome is using ScriptBlock (version 1.4) enough?
    Or should I install with Tampermonkey a specific script and do you have any suggestions which one script to install?
    Does the advertisement blocker UBlock Origin any good for this specific problem?

    The second browser Mozilla Firefox add-on NoScript (version 5.09) is I think doing a good job?
    Or do You have maybe an even better option?
    Like in Google Chrome I have the same question about Ublock Origin does it do and does it add anything regarding this specific problem?
    I use also canvas defender (Version 1.10) does it anything regarding this problem or do you suggest any other add -on?

    Many questions I know but I would be ferry obliged and thankful to you Martin when you have suggestions.

    1. Hello said on August 29, 2017 at 12:54 pm
      Reply

      Hi, I’m not Martin, but I recommend as a script blocker Umatrix by gorhill, who is an amazing dev and made Ublock Origin, anything from him can be trusted and good imo
      And I’d use ViolentMonkey instead of TamperMonkey since it’s open source and Tamper may collect data.

      Also thx for the article Martin, I hope adblocker won’t be targeted by these problems.

    2. Pete said on August 29, 2017 at 2:34 pm
      Reply

      uMatrix (from the same dev as the uBlock Origin) is superior.

    3. Martin Brinkmann said on August 29, 2017 at 3:44 pm
      Reply

      Paulus, any extension that blocks any script from running is sufficient. I cannot remember if ScriptBlock blocks inline first party scripts.

      NoScript is perfect for this, as is uBlock or uMatrix, see https://www.ghacks.net/2015/02/08/ublocks-all-and-third-party-deny-modes-block-requests-by-default/

    4. Anonymous said on August 29, 2017 at 4:08 pm
      Reply

      If you want best security, NoScript

      If you want best UI with high granularity, uMatrix

      If you want a fine UI with not too high granularity, uBlock Origin

  4. Patrick Shaw said on August 29, 2017 at 11:57 am
    Reply

    “The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox’s legacy add-on system is also vulnerable to the attack.

    Chromium-based browsers like Google Chrome, Yandex and Opera, and Firefox-based browsers like Firefox or Pale Moon, and Microsoft Edge, are affected.”

    So, first it’s said to affect all modern browsers.
    Then..
    Research can confirm it in Chromium-based browsers and BELIEVE other browsers may be affected.
    Then…
    All browsers are affected, again..

    What’s it going to be?

    1. Martin Brinkmann said on August 29, 2017 at 3:40 pm
      Reply

      The researchers tested this against Chrome, but since Firefox and Edge use the same system, they are confident that it works against these browsers as well. The attack does work against Firefox legacy add-ons.

      1. Oliver said on August 29, 2017 at 4:11 pm
        Reply

        “The attack does work against Firefox legacy add-ons.”
        Which means the attack works against Palemoon. They don’t know if it works against Firefox >= 57.

      2. Sam said on August 29, 2017 at 4:16 pm
        Reply

        Unlike in Chromium-based browsers, Firefox WebExtensions use randomised extension IDs, so this attack won’t work for those. These researchers should rely less on confidence and more on evidence!

      3. Martin Brinkmann said on August 29, 2017 at 4:40 pm
        Reply

        Safari uses randomized URIs and it is vulnerable as well (albeit with less accuracy)

      4. Pants said on August 29, 2017 at 5:51 pm
        Reply

        @Sam

        The randomized moz ID actually creates a unique value for FP, … IF the extension leaks it

        > in particular, they changed the initial scheme (moz-extension://[extID]/[path]) to moz-extension://[random-UUID]/[path]. Unfortunately, while this change makes indeed more difficult to enumerate user extensions, it introduces a far more dangerous problem. In fact, the random-UUID token can now be used to precisely fingerprint users if it is leaked by an extensions. A website can retrieve this UUID and use it to uniquely identify the user, as once it is generated the random ID never changes. We reported this design-related bug to Firefox developers as well.

        They go on to recommend a random ID per use

  5. bugsy said on August 29, 2017 at 2:16 pm
    Reply

    The solution to this is given by Martin in the last line:

    ” Since these attacks rely on scripts, any script blocker protects against it. ”

    Use NoScript and never use allow javascript execution.

    Need to use javascript on a site? Use Tails in a Virtual Box virtual machine.

  6. TelV said on August 29, 2017 at 2:41 pm
    Reply

    I seem to have missed your article on how to fix the URI leak with the extension you suggested Martin. Penalty for not checking the ghacks site every day! Anyway thanks for the tip.

    1. Anonymous said on August 29, 2017 at 4:12 pm
      Reply

      Future proof note: Firefox 57 has an improved fix built-in

    2. Pants said on August 29, 2017 at 4:26 pm
      Reply

      If you mean the link in the above article to https://www.ghacks.net/2016/06/12/firefox-resource-leak/ – well the add-on does not work in FF55 and 56 (and of course cannot run in 57+). However, earthlng patched it, it is signed, you can get it here: https://github.com/ghacksuserjs/ghacks-user.js/issues/191 (first post, info from earthlng and link). If you are on ESR, then the one on AMO is fine.

      Meanwhile … https://bugzilla.mozilla.org/show_bug.cgi?id=863246 : “resource:// URIs leak information” – was resolved fixed for FF57+ about 14 hrs ago

  7. b said on August 29, 2017 at 4:33 pm
    Reply

    @Martin Brinkmann
    so would blocking firstparty and inline ( whatever that means ) scripts in uBlock Origin fix the problem?

    1. Martin Brinkmann said on August 29, 2017 at 4:39 pm
      Reply

      Yes

  8. Pants said on August 29, 2017 at 6:39 pm
    Reply

    Earthling tells me that Screenshots, the Firefox system “add-on” has content-accessible resources but it needs user-interaction to get the UUID (remember this is unique per WebExt per browser profile). In fact he just created a PoC for it (maybe you can have a link when he cleans it up! Or I’ll let him tell you). This is almost as serious as Canvas fingerprinting IMO – maybe we’ll need to vet WebExt from now on and not recommend any that expose this info.

    Timing attacks are mitigated by performance API config prefs and also in privacy.resistFingerprinting (FF56+)

    1. Pants said on August 29, 2017 at 7:27 pm
      Reply
  9. CHEF-KOCH said on August 29, 2017 at 8:44 pm
    Reply

    Just again shows you can’t count on extensions or user.js, instead this needs to be fixed within the source for everyone. I would’t give that too much credits, I’m sure there working on it right now.

  10. Crapulous Obfuscated Guy said on August 29, 2017 at 9:49 pm
    Reply

    Dudes, use different browsers. Use a specific browser only for sites where you log into.

  11. Mike J. said on August 30, 2017 at 3:28 pm
    Reply

    Query from an ignoramus: is it possible that web pages load more quickly when using a script blocker?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.