New issue
Advanced search Search tips

Issue 834705 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
rdevlin....@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: ----



Sign in to add a comment

Any site can detect user extension and execute script in extension

Reported by tdubl...@gmail.com, Apr 19 2018 
This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE
Any site can detect user installed user extension.(user extension it is private data)

VERSION:
Chrome Version: Version 65.0.3325.181 (Official Build) (64-bit)
Operating System: mac 10.12.6 (16G1212)

REPRODUCTION STEPS:
We can get most popular extension id.
Check manifest.json file, and save file in "web_accessible_resources", after that we can create js file, how can be check any extension with 100% correct answer and can execute extension script.

For example:
https://chrome.google.com/webstore/detail/vuejs-devtools/nhdogjmejiglipccpnnnanhbledajbpd
With code:

var head = document.getElementsByTagName('head');
var injectedScript = document.createElement('script');
head[0].appendChild(injectedScript);
var xhr = new XMLHttpRequest();
xhr.open("GET", "chrome-extension://nhdogjmejiglipccpnnnanhbledajbpd/build/backend.js")
xhr.send()
xhr.onreadystatechange = function() {
  if (xhr.readyState == 4 && xhr.status == 200) {
        injectedScript.innerHTML = xhr.responseText;
    //run a function in the script to load it
  }
};
ƒ () {
  if (xhr.readyState == 4 && xhr.status == 200) {
        injectedScript.innerHTML = xhr.responseText;
    //run a function in the script to load it   
  }
}


we can download extension script and execute that.

I think site must cannot be detect any user extension with 100% correct answer and must cant be execute extension script.

Comment 1 by msramek@chromium.org, Apr 19 2018

Cc: rdevlin....@chromium.org
Components: Platform>Extensions
This is not exactly correct.

An extension must describe some resources as web-accessible (https://developer.chrome.com/extensions/manifest/web_accessible_resources) in order for the XHR in your example to work.

If an extension has no web-accessible resources, it can't be detected in this way. If an extension is supposed to work on every website, then it likely intends to make certain resources to be available on every website, and thus is also detectable on every website.

I can see a use case where an extension only wants to interact with a small number of predefined websites, and would only want to expose web accessible resources to those websites, and to the whole web in order not to be detectable. Is that something we can support?

Furthermore, I also do see an argument for priority of constituencies in that user should be able to hide extensions even if the extensions declared that they want to be visible, but that would likely break their functionality in most cases, so it would perhaps be better to just inform users at the installation time that an extension will be web-visible.

Punting to the extensions team in case they thought about this already.

Comment 2 by tdubl...@gmail.com, Apr 19 2018 

Yes, i absolute agree with you

Comment 3 by rdevlin....@chromium.org, Apr 19 2018

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Available (was: Untriaged)
As msramek@ mentioned, this is all documented, including the fingerprinting aspect.

"Making resources accessible by the web, under the web_accessible_resources will make an extension detectable by websites and attackers."

https://developer.chrome.com/extensions/security#web_accessible_resources

We have thought about how we might provide the ability to restrict web accessible resources only to certain sites for awhile, but do not currently have a concrete plan.  I think this would address the cases where an extension is not deliberately acting with a site.

In the case of a cooperating extension and website, I'm not sure that either informing the user or trying to give the user the ability to prevent interaction would be practical.  If an extension and a website are acting together, there are any number of ways that the extension will be visible to the website (e.g., scripting the site, xhr, cookies, etc), and it doesn't seem like a reasonable threat model.

Comment 4 by msramek@chromium.org, Apr 19 2018 

Just to clarify, my proposal was not informing the user about a cooperation in real time, just during the installation that "This extension needs to be web-visible and would quite probably not work if it wasn't.", which boils down to "This extension is web-visible." and you can choose not to install if that's a problem.

As usual, this is going to be a UX tradeoff, because this information may be meaningless for many users; however, for e.g. accessibility extensions, being web-visible means revealing health data, so I can imagine that such a notice may be meaningful for some.

Sign in to add a comment