Over a million developers have joined DZone.

How chrome-extension:// Allows Fingerprinting using JavaScript

DZone's Guide to

How chrome-extension:// Allows Fingerprinting using JavaScript

· Web Dev Zone ·
Free Resource

Jumpstart your Angular applications with Indigo.Design, a unified platform for visual design, UX prototyping, code generation, and app development.

tldr;  Webpages can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup - trick to detect addons you have installed.

While all of us are used to http / https  URI Schemes, current web applications sometimes use other schemes including:

Tough questions

Throughout the years, there have always been questions on how documents from these schemes are supposed to be isolated from each other (think of it like a 2nd order Same Origin Policy). Typical questions include:

  • Can XMLHttpRequest from http:// document load a file:// URL? And the other way around?
  • Can document from https:// load script from http://? Should we display SSL warning then?
  • Can http:// document have an iframe with view-source: src?
  • Can data: URI access the DOM of the calling http:// document?
  • Can file:// URL access a file:// from upper directory (it's not so obvious)
  • What about:blank?
  • How to handle 30x redirections to each of those schemes?
  • What about passing Referer header across schemes?
  • Can I window.open() across schemes? Would window.postMessage() work?
  • and many, many more issues

In general, all this questions come down to:

  • How should we isolate the schemes from each other?
  • What information is allowed to leak between scheme boundaries?

Every single decision that has been made by browser vendors (or standard bodies) in those cases has consequences to security. There are differences in implementation, some of them very subtle. And there are subtle vulnerabilities. Let me present one example of such vulnerability.

Meet chrome-extension://

Google Chrome addons are packaged pieces of HTML(5) + Javascript applications. They may:

  • add buttons to the interface
  • launch background tasks
  • interact with pages you browse
  • ...
All extension resources are loaded from dedicated chrome-extension:// URLs . Each extension has a global unique identifier. For example, 
chrome-extension://oadboiipflhobonjjffjbfekfjcgkhco/help.html is URL representing help.html page from Google Chrome to Phone (you can try it, if you have this extension enabled).

Extension  interact with web pages that you visit and have access to their DOM, but the Javascript execution context is separated (they cannot call each other Javascript code - and for a good reason). 

However even in this separation model there is still place for page <-> addon cooperation. Malicious HTTP pages might interact with addons in various ways. One simple example is addon enumeration.

Finding your addons one by one

With a little Javascript code I can easily test if you're using a certain Chrome addon. Give me a list of most popular extensions and I'll test all of them in milliseconds. Why would I want that as an attacker?

  • to fingerprint your browser (ad networks love this)
  • to start attack against a certain known vulnerable addon (wait for the next post for this ;) )
See demo of Chrome addons fingerprinting. (src here)


The trick is dead simple:

var detect = function(base, if_installed, if_not_installed) {
    var s = document.createElement('script');
    s.onerror = if_not_installed;
    s.onload = if_installed;
    s.src = base + '/manifest.json';
detect('chrome-extension://' + addon_id_youre_after, function() {alert('boom!');});

Every addon has a manifest.json file. In http[s]:// page you can try to load a script cross-scheme from chrome-extension:// URL, in this case - the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and onload event will fire. If not - onerror event is there for you.
Update: TIL the technique was already published by @albinowax. Cool!

This is just one simple example of punching the separation layer between addons and webpages. There are more coming. Stay tuned.


Source: http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html

Take a look at an Indigo.Design sample application to learn more about how apps are created with design to code software.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}