| ▲ | ro_bit 4 hours ago |
| Why is my Chrome telling random websites which extensions I have installed? |
|
| ▲ | kimos 3 hours ago | parent | next [-] |
| It isn’t exactly. They created a list of known extensions by their id and a file which is known to exist in that extension. The site iterates over each pair and tries to load that file, if it doesn’t error it knows the extension is installed. It’s a clever and difficult manual process, but it does bypass the security trying to prevent this kind of thing. I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that. |
| |
| ▲ | FridgeSeal 3 hours ago | parent | next [-] | | So the follow up question, is why is a random website, allowed to try and load arbitrary files? | | |
| ▲ | stingraycharles 3 hours ago | parent | next [-] | | This is how I interpreted the original question and indeed it makes no sense, JavaScript from a website should not be allowed to interact with extensions like this. | | |
| ▲ | flomo 2 hours ago | parent | next [-] | | It's actually the extension injecting itself into the webpage, often to interact with it. (I imagine much of this is just looking for global ExtensionName objects.) | | |
| ▲ | angoragoats an hour ago | parent [-] | | Actually, the article is clear about what is happening technically, and it’s both. Chrome does, in fact, allow the page to make requests for resources stored in the extension bundle, and this is one of the two fingerprinting methods that the article describes. |
| |
| ▲ | encom 30 minutes ago | parent | prev [-] | | >JavaScript from a website should not be allowed Agreed 100%. |
| |
| ▲ | sigmoid10 2 hours ago | parent | prev | next [-] | | Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions. | | |
| ▲ | pbhjpbhj 11 minutes ago | parent [-] | | Why is it not a CORS violation? The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen. |
| |
| ▲ | mschuster91 2 hours ago | parent | prev [-] | | Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things. |
| |
| ▲ | nulltrace 13 minutes ago | parent | prev | next [-] | | Firefox at least randomizes extension IDs per install. Chrome hands all of that to extension devs, basically a "your problem now". | |
| ▲ | emporas 3 hours ago | parent | prev [-] | | Does the same scan is happening on firefox? Random websites invoking extensions do seem to be a security hole to me. | | |
| ▲ | dminik 2 hours ago | parent [-] | | This was posted before and it seems that Firefox randomizes the extension URLs. |
|
|
|
| ▲ | pyrophane 2 hours ago | parent | prev | next [-] |
| Here's the relevant bit from the original source: "Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects. LinkedIn tests every extension in the list this way." |
|
| ▲ | estimator7292 3 minutes ago | parent | prev | next [-] |
| So that websites can track and identify you "for improved personalized advertising" in exactly this way. Browser fingerprinting is massively valuable to Google's surveillance/advertising apparatus. This is all working exactly as intended. |
|
| ▲ | hbn 3 hours ago | parent | prev | next [-] |
| Is that information available to websites? I figured they were doing some kind of novel hackery to self-detect extensions based on behaviour that would only happen if X extension was installed. But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service? |
|
| ▲ | sethops1 4 hours ago | parent | prev | next [-] |
| Can ask the same question about so many horrible security blunders web browsers have made over the decades. |
| |
|
| ▲ | AndroTux 3 hours ago | parent | prev | next [-] |
| Brave explicitly blocks this |
| |
|
| ▲ | p_stuart82 2 hours ago | parent | prev | next [-] |
| because Chrome lets sites probe "installed", and LinkedIn turns that into telemetry. |
|
| ▲ | actionfromafar an hour ago | parent | prev | next [-] |
| Chrome always makes tracking easier. It’s their blind spot, because google. |
|
| ▲ | gib444 4 hours ago | parent | prev [-] |
| Chrome is a browser produced by an advertising company. Its reason for existence is to track you. |
| |
| ▲ | lucb1e 3 hours ago | parent [-] | | Not that I disagree but Google's tracking motivation in making the browser seems irrelevant to why it lets competitors do this fingerprinting | | |
| ▲ | wetpaws 3 hours ago | parent | next [-] | | [dead] | |
| ▲ | gdulli 3 hours ago | parent | prev [-] | | They want fingerprinting to work for everyone because the more effective it is, the higher the value of the ad inventory they sell. |
|
|
