Browsers leak installed extensions to sites
Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.
The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack.
Chromium-based browsers like Google Chrome, Yandex and Opera, and Firefox-based browsers like Firefox or Pale Moon, and Microsoft Edge, are affected.
All browsers protect extension data from being accessed directly by websites visited in the web browser. The past has shown however that sites may use various techniques to scan for installed add-ons.
We talked about this in Are you identifiable by extensions, logins and your browser, and Fix Firefox resource URI leak.
When extensions were first introduced, websites were not blocked from accessing local resources. Mozilla and Google introduced controls to block sites from accessing these resources. This is handled by access control settings that declare all resources extensions use as private by default in Firefox, Chromium-based browsers and Microsoft Edge.
Safari uses a different protection mechanism as it randomizes resource URIs instead.
The security researchers discovered a way to enumerate installed browser extensions in the newest versions of web browsers. The "timing side-channel attack" may be used to enumerate the installed browser extensions by monitoring the browser's response to resource access.
When a site requests access to a resource of an extension in the browser, the browser needs to run two checks to see if the extension exists, and if the resource that the site wants to access is publicly available.
By monitoring the response, attackers, may identify the reason behind a request denial. The site measures the time it takes to return a request for a fake extension with fake resource and the time it takes to request a real extension with a fake path.
By comparing the time, installed extensions are revealed. According to the researchers, their approach can be used to determine with 100% accuracy if extensions are installed in a modern web browser.
By telling apart the two centralized checks that are part of the extension settings validation (either because of the side-channel or because of the different exception behaviors), it is possible to completely enumerate all the installed extensions. It is sufficient for an attacker to simply probe in a loop all existing extensions to precisely enumerate the ones installed in the system.
Closing Words
The attack relies on extension IDs and some code. The researchers grabbed about 10000 Chrome and Firefox extension IDs each and uses the information in test runs.
"Real" attackers would have to do the same, and could use the information for browser fingerprinting or targeted attacks against specific browser extensions.
Since these attacks rely on scripts, any script blocker protects against it. (via Born / Bleeping Computer)
Query from an ignoramus: is it possible that web pages load more quickly when using a script blocker?
Dudes, use different browsers. Use a specific browser only for sites where you log into.
Just again shows you can’t count on extensions or user.js, instead this needs to be fixed within the source for everyone. I would’t give that too much credits, I’m sure there working on it right now.
Earthling tells me that Screenshots, the Firefox system “add-on” has content-accessible resources but it needs user-interaction to get the UUID (remember this is unique per WebExt per browser profile). In fact he just created a PoC for it (maybe you can have a link when he cleans it up! Or I’ll let him tell you). This is almost as serious as Canvas fingerprinting IMO – maybe we’ll need to vet WebExt from now on and not recommend any that expose this info.
Timing attacks are mitigated by performance API config prefs and also in privacy.resistFingerprinting (FF56+)
PoC: https://earthlng.github.io/testpages/screenshots_FP.html
@Martin Brinkmann
so would blocking firstparty and inline ( whatever that means ) scripts in uBlock Origin fix the problem?
Yes
I seem to have missed your article on how to fix the URI leak with the extension you suggested Martin. Penalty for not checking the ghacks site every day! Anyway thanks for the tip.
If you mean the link in the above article to https://www.ghacks.net/2016/06/12/firefox-resource-leak/ – well the add-on does not work in FF55 and 56 (and of course cannot run in 57+). However, earthlng patched it, it is signed, you can get it here: https://github.com/ghacksuserjs/ghacks-user.js/issues/191 (first post, info from earthlng and link). If you are on ESR, then the one on AMO is fine.
Meanwhile … https://bugzilla.mozilla.org/show_bug.cgi?id=863246 : “resource:// URIs leak information” – was resolved fixed for FF57+ about 14 hrs ago
Future proof note: Firefox 57 has an improved fix built-in
The solution to this is given by Martin in the last line:
” Since these attacks rely on scripts, any script blocker protects against it. ”
Use NoScript and never use allow javascript execution.
Need to use javascript on a site? Use Tails in a Virtual Box virtual machine.
“The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox’s legacy add-on system is also vulnerable to the attack.
Chromium-based browsers like Google Chrome, Yandex and Opera, and Firefox-based browsers like Firefox or Pale Moon, and Microsoft Edge, are affected.”
So, first it’s said to affect all modern browsers.
Then..
Research can confirm it in Chromium-based browsers and BELIEVE other browsers may be affected.
Then…
All browsers are affected, again..
What’s it going to be?
The researchers tested this against Chrome, but since Firefox and Edge use the same system, they are confident that it works against these browsers as well. The attack does work against Firefox legacy add-ons.
@Sam
The randomized moz ID actually creates a unique value for FP, … IF the extension leaks it
> in particular, they changed the initial scheme (moz-extension://[extID]/[path]) to moz-extension://[random-UUID]/[path]. Unfortunately, while this change makes indeed more difficult to enumerate user extensions, it introduces a far more dangerous problem. In fact, the random-UUID token can now be used to precisely fingerprint users if it is leaked by an extensions. A website can retrieve this UUID and use it to uniquely identify the user, as once it is generated the random ID never changes. We reported this design-related bug to Firefox developers as well.
They go on to recommend a random ID per use
Unlike in Chromium-based browsers, Firefox WebExtensions use randomised extension IDs, so this attack won’t work for those. These researchers should rely less on confidence and more on evidence!
Safari uses randomized URIs and it is vulnerable as well (albeit with less accuracy)
“The attack does work against Firefox legacy add-ons.”
Which means the attack works against Palemoon. They don’t know if it works against Firefox >= 57.
Martin, The question that I have after reading your article is which script blocker with google and firefox are wise to use.
First is Google Chrome is using ScriptBlock (version 1.4) enough?
Or should I install with Tampermonkey a specific script and do you have any suggestions which one script to install?
Does the advertisement blocker UBlock Origin any good for this specific problem?
The second browser Mozilla Firefox add-on NoScript (version 5.09) is I think doing a good job?
Or do You have maybe an even better option?
Like in Google Chrome I have the same question about Ublock Origin does it do and does it add anything regarding this specific problem?
I use also canvas defender (Version 1.10) does it anything regarding this problem or do you suggest any other add -on?
Many questions I know but I would be ferry obliged and thankful to you Martin when you have suggestions.
If you want best security, NoScript
If you want best UI with high granularity, uMatrix
If you want a fine UI with not too high granularity, uBlock Origin
Paulus, any extension that blocks any script from running is sufficient. I cannot remember if ScriptBlock blocks inline first party scripts.
NoScript is perfect for this, as is uBlock or uMatrix, see https://www.ghacks.net/2015/02/08/ublocks-all-and-third-party-deny-modes-block-requests-by-default/
uMatrix (from the same dev as the uBlock Origin) is superior.
Hi, I’m not Martin, but I recommend as a script blocker Umatrix by gorhill, who is an amazing dev and made Ublock Origin, anything from him can be trusted and good imo
And I’d use ViolentMonkey instead of TamperMonkey since it’s open source and Tamper may collect data.
Also thx for the article Martin, I hope adblocker won’t be targeted by these problems.
@Martin Brinkmann
“Since these attacks rely on scripts, any script blocker protects against it.”
so if I use uBlock Origin and block thirdparty scripts, I’m safe?
No, since first-party scripts may run on the site. You need to block any script from running.
This 100% requires JavaScript and should be mitigated by Firefox privacy protections, in particular those enabled by privacy.resistFingerprinting, which among other things reduce timing precision.
I wonder how reliable this attack is then.
From a Firefox engineer after reading this article:
” I don’t think WebExtensions in Firefox are vulnerable to this attack, because they don’t have any predictable ID by default that could be enumerated. So after Firefox 57 this shouldn’t be an issue anymore. ”
Source: https://www.reddit.com/r/firefox/comments/6wud0j/benign_resource_uri_leak_fixed_in_nightly/dmau95k/