Browser Extension and Login-Leak Experiment

How does the detection techniques work?

How does the extension detection work?

The detection technique exploits the fact that some Chrome browser extensions expose which resources are accessible to websites. For example, a website can try to detect if Ghostery is installed by trying to load its images (click to test: chrome-extension://mlomiejdfkolichcflejclcbmpeaniij/app/images/apps_pages/tracker.png) or if you have Adblock installed (click to test: chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/icons/icon24.png).

We have detected the resources of ~13k Chrome browser extensions. For each of these, the test tries to load one resource per extension as a detection trial. If the load event is successful, we reckon a legitimate detection attempt of the extension. Due to the high number of extensions, this might take a while – we ask for your patience. When it finishes, it will provide the list of the detected extensions.

How does the login detection work?

Redirection URL hijacking. Usually, when you try to get access to a secured web resource, you are dropped to the login page if you are not logged in already. In order to make your life easier, these login pages remember the previous URL, where you were trying to get access to – they plan to drop you there after logging in properly. This is where our attack comes in: we change this URL, so you'll land on an image if already logged in.

More technically speaking, if we embed an <img> tag pointing to the login page with the changed URL redirection, two things can happen. If you are not logged in, this image will fail to load. However, if you are logged in, the image will load properly, and we can detect this, even though we are a third-party site in this context.

Abusing Content-Security-Policy violation for detection. Content-Security-Policy, or CSP in short, is a security feature designed to limit what the browser can load for a website. For example, CSP can be easily used to block injected scripts on forums. If there is an attempt like that, the resource will not load, and the browser can also be instructed to report such violation attempts to the server backend.

We use this mechanisms for login detection,by embedding an <img> tag pointing to a specific subdomain (and page) on the target website. It's enough to wait if a redirection happens or not (which would violate our artificial CSP constraints).

  Back to the main page

Browser Extension and Login-Leak Experiment – © 2019 all rights reserved – Website designed by Gábor Gulyás