The way Google Chrome handles extension queries is through its chrome-extension:// URI scheme. They have the most extensive collection of various browser plugins you can install from their respective web stores. Google Chrome and Mozilla Firefox are the two browsers we’re going to run tests against. Since that is not the case, we better face the harsh reality together and ask: How much – or little – does it take to query what extensions are installed on a browser and get a list of them? Let’s dive in. Ideally, traditional web browsers and their extensions should be built with your security and privacy in mind and shouldn’t be detected by any external service. Detecting extensions is only one of many ways to distinguish one machine’s environment from another. Online advertisers and malicious actors alike need as much data from the client as possible, and the local browser stands at attention to do their bidding.
In other words, if the client has an extension for a free VPN service installed, the user may be susceptible to pitches for other questionable services or products as well. Addon insights can help them build target profiles based on user interests and preferences. Check out our blog posts with real-life examples: JavaScript Template Attacks, Password Manager Extension Exploit, and How Do I Know If My Local Browser Extension Was Hijacked?īesides the usual suspects, who else would benefit from knowing which browser extensions are installed on a given client? Take online advertising firms, for example. Addon identification can also be leveraged to hijack the local browser, as in: “This developer’s Gmail account has been pwned let’s use it to push a malicious update.”.Plugin information can also aid in targeted client exploitation, as in: “This this client has version 2.0.6 of the password manager installed, with working exploits A, B, and C.”.Browser extension details can help fingerprint the client from others, as in: “This client uses a Google Translate browser extension.