Issue metadata
Sign in to add a comment
|
WebAccessibleResources take too long to make a decision about loading if the extension is installed
Reported by
iskander...@gmail.com,
May 12 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS It is possible to enumerate/detect all installed extensions/games/apps of the user through JavaScript. VERSION All Chrome versions/editions for all operating systems and all browsers based on Chromium that support extensions (Chrome Canary, Opera, Yandex Browser...) are vulnerable to enumeration/detection of all extensions/games/apps that the user has installed. ANALYSIS AND REPRODUCTION CASE If a website tries to load a resource not present in the list of accessible resources of an extension, the browser would not allow to load it. This method has a problem related to the resource checking phase. In this phase, the browser will check the existence of the resource in the centralized list. However, the time that takes to respond when a extension is called can be measured by an adversary to finally, determine if a extension is installed or not. 1. The attacker starts by measuring the response time when calling a non-existent extension with a fake path (chrome-extension://[fakeExtID]/[fakePath]). 2. Then, the attacker calls an extension that exists but using a fake path and measures the response time (chrome-extension://[realExtID]/[fakePath]). In this way, the attacker can find out whether the extension is installed in the browser or not. In the second call due to the fact that the path is a fake one, the attacker can be sure that the path will not be in the list of accessible resources. Therefore, when the two response times are in the same time range (±5\%), the extension can be considered as not installed. Otherwise, when the response time in the second call is larger (taking into account the extra time needed to check in the web accessible list), it can be inferred that the extension is actually installed in the browser. Since the browser may not respond to every call with the very same response time because of various reasons such as computing overhead, to be sure that our proposed enumeration/detection works, it should be run for at least five times (takes milliseconds). To obtain the aforementioned times, this the code can be used: var xmlHttp = null; xmlHttp = new XMLHttpRequest(); xmlHttp.open( "GET",extURL, true ); var startTime = window.performance.now(); xmlHttp.send( null ); var endtime = window.performance.now(); var logTime = endtime-startTime; POSSIBLE FIX The resource checking phase is divided in two different internal controls: first if the extension is installed and then if the indicated path is accessible or not. Combining both in a single control (full path) could prevent enumeration/detection of installed extensions/games/apps because the time needed to make the check would be the same in all cases. IMPACT The inclusion of user's installed extensions/games/apps would enhance the uniqueness of device fingerprinting techniques and analytics (for instance for Panopticlick from EFF: https://panopticlick.eff.org/). It is also possible to identify the browser, even when user-agent is modified. For example Chrome and Opera both use a built-in extension to manage browser bookmarks: chrome-extension://eemcgdkfndhakfknompkggombfjjjeno in Chrome, that in the case of Opera is chrome-extension//knohfebhibeknbfioecpdmdkjkjdnjnl. All the information that can be collected can also be used for targeted attacks (malicious actors can know users' concrete usage of a computer: used products and services, their interests, and so on). This information can be used to develop a targeted exploit kit: depending on the result of the enumeration, the website can decide to trigger the malicious payload, or even to use different malicious payloads depending on the data. Installed extensions/games/apps can also be utilized by an attacker to increase the information about the victim in order to carry out (automatic or not) social engineering attacks. This information can be used in several ways to deceive users, posing as legitimate messages from a particular extension and leading users to perform a pernicious action. For example, the attacking website discovers that the user's browser has a password management extension installed, then the attacker tries to deceive the user asking to the password again to steal it.
,
May 12 2016
Antony's working on some similar issues, so passing to him. I'm a little surprised the difference is so significant - we know whether or not the extension is installed, so I'd think we'd also be able to quickly determine whether or not the resource exists and is whitelisted in web_accessible_resources without bouncing around too much.
,
May 13 2016
,
Jun 8 2016
,
Jun 10 2016
https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-isn-t-passive-browser-fingerprinting-including-passive-cookies-in-Chrome-s-threat-model- Closing.
,
Jun 10 2016
Let's leave this open. For one thing, I'm not sure extension fingerprinting should be in the same boat as cookie fingerprinting et al. For another, it means we're wasting time and resources, since we should be able to determine immediately if a resource is allowed or not, so it's a performance concern. I've updated the bug title to reflect the latter, since it's a more definitive issue. (feel free to remove security labels, but I'll leave that up to you)
,
Jul 13 2016
,
Jul 13 2016
,
Jun 12 2017
We are presenting this attacks in the 26th USENIX Security Symposium (August 16–18, 2017 - Vancouver, Canada) as part of the paper "Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies". We were wondering if you decided to implement some fix or mitigation to prevent this type of enumeration.
,
Jun 12 2017
Devlin - see comment 9.
,
Jun 13 2017
@9 Short answer - yes, we plan to. This is definitely something that I want us to fix, since fingerprinting user extensions should not be trivial unless the extnesion opts into it through web_accessible_resources. There are a few different approaches we can take here, and it's a matter of prioritization.
,
Jul 7 2017
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0e41fe8632d60a94200666e5eae0660bfdcd33e9 commit 0e41fe8632d60a94200666e5eae0660bfdcd33e9 Author: rdevlin.cronin <rdevlin.cronin@chromium.org> Date: Tue Jul 11 02:13:15 2017 [Extensions] Change renderer-side web accessible resource determination The web accessible resource determination in the renderer has an early-out for non-existent extensions. Unfortunately, this makes it possible to determine whether a user has a given extension installed through timing attacks - it takes longer to make a decision about whether to allow a resource to load when the extension is installed than when it isn't. This can be surprisingly accurate. Rejigger the web accessible resource determination in a few ways. Most importantly, keep a set of loaded extensions that have any accessible resources, and check this (rather than the full extension set) for whether to potentially allow the load. This way, an extension with no accessible resources and an uninstalled extension should take the same amount of time to reach a decision, which is the desired outcome. BUG= 709464 BUG= 611420 Review-Url: https://codereview.chromium.org/2958343002 Cr-Commit-Position: refs/heads/master@{#485494} [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/chrome/renderer/extensions/chrome_extensions_renderer_client.cc [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/chrome/renderer/extensions/chrome_extensions_renderer_client.h [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/chrome/renderer/extensions/resource_request_policy.cc [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/chrome/renderer/extensions/resource_request_policy.h [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/extensions/common/manifest_handlers/webview_info.cc [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/extensions/common/manifest_handlers/webview_info.h [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/extensions/renderer/dispatcher.cc [modify] https://crrev.com/0e41fe8632d60a94200666e5eae0660bfdcd33e9/extensions/renderer/extensions_renderer_client.h
,
Aug 30 2017
,
Aug 30 2017
One interesting note in that paper is that Web Accessible resources are available for sites to access even when the extension is disabled from loading due to Incognito. Is this something that was/can/should be cleaned up as well?
,
Aug 31 2017
This specific bug should be fixed (though I'm sure we have more web-accessible-resource-related issues). I'll file a new bug for the incognito case.
,
Aug 31 2017
Yes, it is possible to identify and access installed extensions also within the private mode. The browser can check for extensions in incognito mode, even though extensions are not allowed to access the websites.
,
Aug 31 2017
Regarding other possible fixes: 1. Follow an extension schema that includes a random generated value in the URL: chrome-extension://[randomValue]/[path]. This random value should be modified across and during the same session and should be independent for each extension installed. For example, the browser should change it in every extension in every access. In this way, the random value cannot be used to fingerprint users. 2. Extensions should be analyzed for possible leakages before making them public to the users. Moreover, developer manuals should specifically discuss the problems that can cause the leakage of any random value generated.
,
Aug 31 2017
> Follow an extension schema that includes a random generated value in the URL: chrome-extension://[randomValue]/[path]. This random value should be modified across and during the same session and should be independent for each extension installed. For example, the browser should change it in every extension in every access. In this way, the random value cannot be used to fingerprint users. We've thought about this (I think it's also what FireFox does?), and it has a lot of merit. Unfortunately, doing this would be a breaking change for two cases: - extensions using the hard-coded url - websites choosing to embed an extension frame that's accessible This is something we'd like to do when we have the opportunity to make a breaking change. > 2. Extensions should be analyzed for possible leakages before making them public to the users. Moreover, developer manuals should specifically discuss the problems that can cause the leakage of any random value generated. This is difficult because some developers may intend for resources to be accessible to the web, and there are legitimate use cases for it. We do document that this can allow for fingerprinting [1], but it's probably worth having some more guidance there. [1] https://developer.chrome.com/extensions/manifest/web_accessible_resources
,
Aug 31 2017
> We've thought about this (I think it's also what FireFox does?), and it has a lot of merit. Yes, Firefox now follows a scheme based on URI randomization for WebExtensions in order to solve this same problem and other future similar ones. As you indicate, this is not an easy task, and they have some implementation problems that we are working to solve with them. > This is difficult because some developers may intend for resources to be accessible to the web, and there are legitimate use cases for it. We do document that this can allow for fingerprinting [1], but it's probably worth having some more guidance there. Maybe recommending (possibly even enforcing at some point) the use of Shadow DOM [1], could help evading compatibility problems and solve many future attacks, as shadow elements are invisible to queries from the main DOM. [1] https://www.w3.org/TR/shadow-dom/
,
Sep 1 2017
,
Sep 11 2017
,
Sep 18 2017
The VRP panel look at look at this bug, but I'm sorry to say declined to reward (as is usually the case for low severity bugs). But thanks for the report!
,
Dec 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, May 12 2016Components: Platform>Extensions
Labels: Security_Severity-Low Security_Impact-Stable
Owner: rdevlin....@chromium.org
Status: Assigned (was: Unconfirmed)