Prevent a website to probe installation of numerous specific chrome extensions
Reported by
ole.jepp...@gmail.com,
Oct 17
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36 Steps to reproduce the problem: 1. Enter https://www.linkedin.com 2. Log-in to a private account 3. What is the expected behavior? Browser expected to disable a website from probing the existence of numerous chrome extension and thereby preventing spying and GDPR violations What went wrong? This specific website generates 60+ browser errors, one error per probed extension resource Did this work before? N/A Chrome version: 70.0.3538.67 Channel: stable OS Version: 10.0 Flash Version: The specific extensions Linkedin is probing can be seen in the console by issuing: >JSON.parse(window.atob(localStorage.getItem('C_C_M'))) In the Metadata.ext array it is seen what extensions are probed and the resources used to identify if the extension is active.
,
Oct 17
,
Oct 18
ole.jeppesen@ Thanks for the issue. Tested this issue on Windows 10 on the reported version 70.0.3538.67 by following the below steps. 1. Launched Chrome and logged into https://www.linkedin.com/ 2. Opened Devtools -> Console and entered JSON.parse(window.atob(localStorage.getItem('C_C_M'))) and attached is the screen shot of the result. Request you to check and confirm if this is the issue observed. Thanks..
,
Oct 18
Thank you Susan.boorgula, this is exactly the issue I have observed. The 13 names in the array start with the extension-ID, and in case you don't have any of these extensions installed your browser will report 13 errors There are 2 reasons why this kind of probing/"fingerprinting" is a problem: 1: It violates GDPR regulations to collect the info from a private PC without the consent of the user (you are also probed in the same manner if you are just a visitor without being logged-in) 2: It is espionage if the browser is hosted on a company PC, as the web-server can collect metadata from several employees and thereby map the company IT infrastructure, i.e. use of software. 560 million Linkedin members, plus visitors of e.g. company pages, experience this during each visit, i.e. 13-68 errors. Extreme users of this technique could gather more private info about users, e.g. dating habits, competitors, children, subscription, etc Hope it is in the interest of Google not to host this technique or reduce the use.
,
Oct 18
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 25
ole.jeppesen@ Thanks for the issue. Able to reproduce the issue on Windows 10, Mac OS 10.13.3 and Ubuntu 17.10 on the latest Stable 70.0.3538.77 and the latest Canary 72.0.3591.0 as per comment #4. Attached is the screen shot for reference. This is a Non-Regression issue as this is observed from M-60 chrome builds. Hence marking this as Untriaged for further updates from Dev. Thanks..
,
Oct 26
Unfortunately, there isn't a lot that Chrome, as a browser, can do for this. If an extension takes detectable action on a page, a website will be able to detect it and change behavior based on that - and Chrome can't force the website to not behave in that manner. We *do* try to make it somewhat difficult for websites to detect if extensions are installed, but if an extension chooses to either change the website in a manner that can be easily spotted or use a web_accessible_resource [1], then it will always be detectable. (Though note we are considering expansions to the web accessible resources API to make it harder for websites to use this.) I don't think there's anything actionable that Chromium can do in these scenarios. [1] https://developer.chrome.com/extensions/manifest/web_accessible_resources |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by bugsnash@chromium.org
, Oct 17