Browsers leak installed extensions to sites
Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.
The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack.
Chromium-based browsers like Google Chrome, Yandex and Opera, and Firefox-based browsers like Firefox or Pale Moon, and Microsoft Edge, are affected.
All browsers protect extension data from being accessed directly by websites visited in the web browser. The past has shown however that sites may use various techniques to scan for installed add-ons.
We talked about this in Are you identifiable by extensions, logins and your browser, and Fix Firefox resource URI leak.
When extensions were first introduced, websites were not blocked from accessing local resources. Mozilla and Google introduced controls to block sites from accessing these resources. This is handled by access control settings that declare all resources extensions use as private by default in Firefox, Chromium-based browsers and Microsoft Edge.
Safari uses a different protection mechanism as it randomizes resource URIs instead.
The security researchers discovered a way to enumerate installed browser extensions in the newest versions of web browsers. The "timing side-channel attack" may be used to enumerate the installed browser extensions by monitoring the browser's response to resource access.
When a site requests access to a resource of an extension in the browser, the browser needs to run two checks to see if the extension exists, and if the resource that the site wants to access is publicly available.
By monitoring the response, attackers, may identify the reason behind a request denial. The site measures the time it takes to return a request for a fake extension with fake resource and the time it takes to request a real extension with a fake path.
By comparing the time, installed extensions are revealed. According to the researchers, their approach can be used to determine with 100% accuracy if extensions are installed in a modern web browser.
By telling apart the two centralized checks that are part of the extension settings validation (either because of the side-channel or because of the different exception behaviors), it is possible to completely enumerate all the installed extensions. It is sufficient for an attacker to simply probe in a loop all existing extensions to precisely enumerate the ones installed in the system.
The attack relies on extension IDs and some code. The researchers grabbed about 10000 Chrome and Firefox extension IDs each and uses the information in test runs.
"Real" attackers would have to do the same, and could use the information for browser fingerprinting or targeted attacks against specific browser extensions.