HTML5 Zone is brought to you in partnership with:

Krzysztof is a DZone MVB and is not an employee of DZone and has posted 18 posts at DZone. You can read more from them at their website. View Full User Profile

How chrome-extension:// Allows Fingerprinting using JavaScript

02.18.2012
| 3815 views |
  • submit to reddit
tldr; Webpages can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup - trick to detect addons you have installed.

While all of us are used to http / https URI Schemes, current web applications sometimes use other schemes including:

Tough questions

Throughout the years, there have always been questions on how documents from these schemes are supposed to be isolated from each other (think of it like a 2nd order Same Origin Policy). Typical questions include:

  • Can XMLHttpRequest from http:// document load a file:// URL? And the other way around?
  • Can document from https:// load script from http://? Should we display SSL warning then?
  • Can http:// document have an iframe with view-source: src?
  • Can data: URI access the DOM of the calling http:// document?
  • Can file:// URL access a file:// from upper directory (it's not so obvious)
  • What about:blank?
  • How to handle 30x redirections to each of those schemes?
  • What about passing Referer header across schemes?
  • Can I window.open() across schemes? Would window.postMessage() work?
  • and many, many more issues

In general, all this questions come down to:

  • How should we isolate the schemes from each other?
  • What information is allowed to leak between scheme boundaries?

Every single decision that has been made by browser vendors (or standard bodies) in those cases has consequences to security. There are differences in implementation, some of them very subtle. And there are subtle vulnerabilities. Let me present one example of such vulnerability.

Meet chrome-extension://

Google Chrome addons are packaged pieces of HTML(5) + Javascript applications. They may:

  • add buttons to the interface
  • launch background tasks
  • interact with pages you browse
  • ...
All extension resources are loaded from dedicated chrome-extension:// URLs . Each extension has a global unique identifier. For example,  chrome-extension://oadboiipflhobonjjffjbfekfjcgkhco/help.html is URL representing help.html page from Google Chrome to Phone (you can try it, if you have this extension enabled).
Extension interact with web pages that you visit and have access to their DOM, but the Javascript execution context is separated (they cannot call each other Javascript code - and for a good reason). 
However even in this separation model there is still place for page <-> addon cooperation. Malicious HTTP pages might interact with addons in various ways. One simple example is addon enumeration.

Finding your addons one by one

With a little Javascript code I can easily test if you're using a certain Chrome addon. Give me a list of most popular extensions and I'll test all of them in milliseconds. Why would I want that as an attacker?

  • to fingerprint your browser (ad networks love this)
  • to start attack against a certain known vulnerable addon (wait for the next post for this ;) )
See demo of Chrome addons fingerprinting. (src here)

How?

The trick is dead simple:

var detect = function(base, if_installed, if_not_installed) {
    var s = document.createElement('script');
    s.onerror = if_not_installed;
    s.onload = if_installed;
    document.body.appendChild(s);
    s.src = base + '/manifest.json';
}
detect('chrome-extension://' + addon_id_youre_after, function() {alert('boom!');});

Every addon has a manifest.json file. In http[s]:// page you can try to load a script cross-scheme from chrome-extension:// URL, in this case - the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and onload event will fire. If not - onerror event is there for you.
Update: TIL the technique was already published by @albinowax. Cool!

This is just one simple example of punching the separation layer between addons and webpages. There are more coming. Stay tuned.

 

Source: http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html

Published at DZone with permission of Krzysztof Kotowicz , author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)