Google Chrome Addons Fingerprinting

Krzysztof Kotowicz has recently published the first part of a Chrome hacking series. In what went up mid-March, he provides the proof of concept code to ID the addons that users have installed. (The live demo – avoid if you’re particularly privacy conscious – is here.) There are various advantages to knowing what, specifically, browser users are running:

  • It contributes to developing unique browser fingerprints, letting advertisers track you passively (i.e. without cookies);
  • It enables an attacker to try and compromise the browser through vulnerabilities in third-party addons;
  • It lets websites deny you access to the site if you’re using certain extensions (e.g. a site dependent on web-based ad revenue might refuse to show you any content if you happen to be running adblock or Ghostery)

Means of uniquely identifying browsers have come and gone before, and this will continue into the future. That said, as more and more of people’s computer experiences occur through their browsers an ever-increasing effort will be placed on compromising the primary experience vector. It will be interesting to see if Google – and the other major browser vendors – decide to see this means of identifying customer-selected elements of the browser as a possible attack vector and consequently move to limit addon-directed surveillance.