Browsers, Leak Installed Extensions to Sites



Browsers, Leak Installed Extensions to Sites

Researchers of security have recently discovered various flaws in extension systems for just about all of the modern browsers which attackers might use to exploit in order to enumerate all of the installed browser extensions.

All of the modern browsers are affected by the attack. The researchers had confirmed it for Chromium-based browsers, and they even believe that it affects browsers such as Edge or Firefox which make use of similar extensions systems. One of the add-on systems, which are vulnerable to the attacks, is Firefox’s legacy. Google Chrome, Opera and Yandex are some of the Chromium-based browsers that are affected, along with Firefox-based browsers such as Pale Moon, Firefox and Microsoft Edge. All of the browsers protect the extension data from being analyzed directed by the websites that are visited using the web browser. However, the post shows that various techniques can be used for scanning the installed add-ons.

When the extensions had been first introduced, the websites had not been blocked from being able to access the local resources in the browser. Google and Mozilla introduced controls to be able to block the sites from accessing any of the resources. The access-control settings handle this and it is used by default in Firefox, Microsoft Edge and Chromium-based browsers. A different protection mechanism is used by Safari which randomizes the resource URLs instead. Furthermore, the security researchers had discovered a way through which the installed browser extensions could be enumerated in the newest versions of the web browsers. The installed browser extensions use the timing side-channel attack to enumerate these through the monitoring of the browser’s response to the resource access.

When the site requests access to the resource of the extension for the browser, the browser would have to run two checks in order to see if the extension actually exists and whether the resource which the site wants to access has been made publically available. Through the monitoring of the response, the reason behind the request denial would be identified by the attackers. The time it takes to return the request for the fake extension would be measured by the site and the time it takes for the request for a real extension with a fake path would also be measured. With the help of comparison of time, the installed extensions can be revealed. The researchers agree that their approach is able to determine if the extensions are installed in the modern web browser with 100% accuracy. Apart from the two centralized checks which are part of the extension settings validation, it is possible to tell the different exception behaviors and to completely have all of the installed extensions enumerated.


For attackers to do something, extension IDs and some javascript code are what they rely on. Information for browser finger-printing could be used for targeted attacks against specific browser extensions.

Comments and feedback