I may be old-fashioned in this regard but I prefer websites and companies to know as little about me as possible, unless the information are used for a service that I make active use of. I do not mind Amazon knowing that I’m an adult male, as this is blocking recommendations and offers aimed at a female audience on the site.
Ideally, sites that I do not have an account with should know nothing about me. The Polish security researcher Krzysztof Kotowicz discovered a possibility to fingerprint Chrome add-ons with a few lines of JavaScript code.
The method used tests if certain extensions are installed in the browser, which is different from listing all installed extensions. Here are the technical details on how this can done:
A proof-of-concept page has been created that Chrome users can visit for a demonstration. Chrome users without extensions installed, or other browser users, are not affected by this at all.
This has two implications. First a privacy one, as websites can use the information for a variety of purposes. They can for instance test if an adblocker is installed, or social networking, shopping or pregnancy extensions. Security is the other one. Malicious websites could check if add-ons with known vulnerabilities are installed that are no longer maintained by the author.
According to information posted in the comment section, add-ons installed from a custom-packed extension file or that are loaded unpacked are not recognized by the script.
It appears that Firefox is also leaking out information in this regard. Blocking JavaScript code prevents this from happening.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter. The Difference Between Google Chrome Extensions And Web Apps
Google Chrome Extension Reveals Website User Agent Detection
Google Chrome Extensions Manager
Where Do You Go For Declined Google Chrome Extensions
Google Chrome Extensions Manager About the Author:Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook or Twitter.Author: Martin Brinkmann, Sunday March 18, 2012 -
Tags:google chrome, mozilla-firefox
Ideally, sites that I do not have an account with should know nothing about me. The Polish security researcher Krzysztof Kotowicz discovered a possibility to fingerprint Chrome add-ons with a few lines of JavaScript code.
The method used tests if certain extensions are installed in the browser, which is different from listing all installed extensions. Here are the technical details on how this can done:
You may still remember the CSS History Leak issue were a list of popular web addresses was used on websites to find out if a visitor did visit those sites in the past. The principle is the same, only the execution is different.
Every addon has a manifest.json file. In http[s]:// page you can try to load a script cross-scheme from chrome-extension:// URL, in this case – the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and onload event will fire. If not – onerror event is there for you.
A proof-of-concept page has been created that Chrome users can visit for a demonstration. Chrome users without extensions installed, or other browser users, are not affected by this at all.
This has two implications. First a privacy one, as websites can use the information for a variety of purposes. They can for instance test if an adblocker is installed, or social networking, shopping or pregnancy extensions. Security is the other one. Malicious websites could check if add-ons with known vulnerabilities are installed that are no longer maintained by the author.
According to information posted in the comment section, add-ons installed from a custom-packed extension file or that are loaded unpacked are not recognized by the script.
It appears that Firefox is also leaking out information in this regard. Blocking JavaScript code prevents this from happening.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter. The Difference Between Google Chrome Extensions And Web Apps
Google Chrome Extension Reveals Website User Agent Detection
Google Chrome Extensions Manager
Where Do You Go For Declined Google Chrome Extensions
Google Chrome Extensions Manager About the Author:Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook or Twitter.Author: Martin Brinkmann, Sunday March 18, 2012 -
Tags:google chrome, mozilla-firefox
No comments:
Post a Comment