Security researchers discovered flaws (PDF) to the extensions systems of all modern browsers that can exploit intruders to list all installed browser extensions.
The attack affects all modern browsers. The researchers were able to confirm this in all Chromium-based browsers and believe it also affects other browsers such as Firefox or Edge that use the same extension system. The additional system for add-on of Firefox is also vulnerable to the attack.
Chromium-based browsers that are affected are Google Chrome, Yandex and Opera, and Firefox - based browsers, such as Firefox or Pale Moon and the Microsoft Edge.
All browsers protect the data of the extensions from the websites they visit. However, we've seen that sites use different techniques to collect data from browsers.
Security researchers have discovered a way to help them list installed browser extensions even in the latest versions of browsers.
The "timing side-channel attack" can be used to list installed browser extensions by monitoring the browser's response to access to system resources.
When a website requests access σε κάποιο πόρο μιας extensions in the browser, the browser must perform two checks: one to see if the extension exists, and another to see if the resource the site wants to access is publicly available.
Watching the answer, the attackers may find the reason behind the refusal of a request. The site counts the time it takes to return a request from a false extension and the time it takes for a real extension.
By comparing time, installed extensions are revealed. According to the researchers, the accuracy of the method reaches 100%.
The attack uses extension identifiers and someone code. Researchers already have about 10000 Chrome and Firefox extension IDs. So they can accurately locate the extensions by comparing the identifiers.
"Real" attackers could use this information for fingerprinting or targeted attacks against specific browser extensions.
Since all these attacks are based on scripts, any scripts blocking can protect you from the attack.
Update: After a conversation we had on Facebook with a friend of SecNews, we were thinking of clarifying that the Apple browser is also affected: influenced by leakage URI in the Safari extensions model.
