Issue metadata
Sign in to add a comment
|
Security: Can detect installed Chrome extension (even without web_accessible_resources)
Reported by
stefan.v...@gmail.com,
Mar 15 2017
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Security & Privacy issue where it can find the installed Chrome extension from the CSS element of that Chrome extension. (even with no elements in the "web_accessible_resources" manifest) And it can detect the installed Chrome extension also from the other user profile in the Chrome web browser (where this Chrome extension is not installed on that user profile 'people1'). There is an 'information leak' that the website owner can find the installed Chrome extension. 1. Install the "Turn Off the Lights" Chrome extension https://chrome.google.com/webstore/detail/turn-off-the-lights/bfbmjmiodbnnpllbbbfblcplfjjepjdn 2. Then go to this page: https://www.turnoffthelights.com/exdetect.html 3. It will find that this Chrome extension is installed on this Chrome web browser. Because the CSS element "__totl-icon" is part of the Chrome extension stylesheet file. But, if you create a new user profile on this page: 1. chrome://settings/createProfile with on this profile NO Chrome extensions installed. 2. You open this page: https://www.turnoffthelights.com/exdetect.html 3. It will find that this Chrome extension is installed on this Chrome web browser. VERSION Chrome Version: 56.0.2924.87 (64-bit) + stable Operating System: macOS Sierra 10.12.3 NOTE: The test document works only online, and not offline (c://) => https://www.turnoffthelights.com/exdetect.html
,
Mar 15 2017
,
Mar 15 2017
,
Mar 15 2017
I'm able to reproduce "Same Profile" detection (as expected) in 57.2987 and 59.3041 on Windows. I am not able to reproduce "Cross Profile" detection (in a different profile without the extension installed, on the same PC) in those Chrome versions. Is there any chance that the extension in question is unexpectedly enabled in the new profile due to Sync or another configuration change on your PC?
,
Mar 15 2017
Hi there, I did the last step again, and yes I just found out that the Chrome sync did install that Chrome extension back on the other Chrome user profile. However, the first steps of detecting the extension from CSS is still working. There must be a way to prevent website(s) -> to detect on this way that Chrome extension is installed on the user Chrome web browser. (I am the developer of the "Turn Off the Lights" Chrome extension.)
,
Mar 15 2017
I believe this can be resolved as "Working as Intended". If an extension does not wish to be detectable from web content, it must not make any injections to the DOM of script or styles, because those injections are inherently detectable by the website's script.
,
Mar 16 2017
,
Mar 17 2017
Yes, this is WAI. Being able to detect an extension by tracing its side effects is pretty much unavoidable. Even if we were able to inject stylesheets in isolated worlds somehow, a website could still detect through the changes to the DOM (e.g., if an extension injects a <style> body { background: red; } </style>, and the page does getComputedStyle(document.body).background). There's not really a way around this.
,
Jun 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 15 2017This extension injects CSS rules (including __totl-icon) into every HTTP and HTTPS page loaded: "content_scripts": [ {"matches": ["http://*/*","https://*/*"], "css": ["css/light.css"], "run_at": "document_end" }, So it is absolutely expected that its presence would be detectable for any profile in which the extension is loaded and running. Detecting the style in a different user profile where the extension isn't loaded certainly seems unexpected to me.