X-Probe: Extension Detector

Google allows third-party developers to extend the functionalities of the Chrome browser and make their work available to other users by publishing it on the Chrome Web Store.

To mitigate the risk of vulnerable extensions compromising the security of Chrome users, Google requires extension developers to publish a manifest, declaring exactly what permissions are required for their correct funtionality. This ensures that even a compromised extension would not be able to perform any operation outside of its intended capabilities.

For example, an extension providing users with weather updates would not be authorised to monitor their browsing history or access their files.

Non-behavioural analysis is a technique to detect extensions installed on the browser of site visitors.

Differently from behavioural analysis, which observes extension-made changes to web pages (e.g. removing advertisements), non-behavioural analysis provides precise, immediate results, and does not produce false positives (meaning that it will never detect extensions which are not actually installed).

Vulnerabilities in the Manifest protocol

Non-behavioural discovery exploits two fundamental vulnerabilities in the Manifest protocol: unique extension identifiers and web-accessible resources, which must be publicly declared by extension developers. Specifically, web-accessible resources may consist of files (e.g. images, scripts, or hypertext), which extensions intend to inject into web pages. Additionally, to ensure isolation between different extensions, web-accessible resources are accessed via unique URLs embedding extension identifiers.

For example, the password managing service "Bitwarden" released its own browser extension with identifier nngceckbapebfimnlniiiahkandclblb. When registering to a new website, the extension will inject a message prompt into the webpage to ask the user whether they wish to save their login credentials. Consequently, the message prompt will be accessed through a request sent from the webpage to the unique URL:

chrome-extension://nngceckbapebfimnlniiiahkandclblb/notification/bar.html

This uniqueness can be exploited by analysing large numbers of publicly-available extensions to locate web-accessible resources and compose a "checklist" of requests to be sent to the browser of site visitors. If a resource request is successful, it can be unequivocally concluded that its associated extension is installed on the surveyed browser.

Poor security practices by extension developers

In an effort to mitigate this issue, in the year 2020, Google released a new iteration of the Manifest protocol (i.e. Manifest Version 3), although, at the time of writing, only ~30% of extensions have transitioned towards it. While in the previous iteration, web-accessible resources could be retrieved indiscriminately across all visited websites, extension developers must now specify match patterns to define which websites should be allowed access.

For example, the extension "Return Youtube Dislikes" may restrict access by specifying the match pattern *://*.youtube.com/*.

However, this measure can be rendered ineffective by providing loose match patterns, such as <all_urls>, *:/*/*, and https://*/*.
While this practice is not inherently inappropriate, it is often unnecessarily employed by inattentive extension developers.

Non-behavioural analysis is a valuable technique for detecting installed extensions on a browser.
There are both malicious and benevolent reasons why it may be employed.

On the malicious side, non-behavioural analysis can be used to track users across different websites, enabling an attacker to build detailed profiles of user behaviours and preferences. Additionally, it can identify the presence of sensitive or vulnerable extensions, thus enabling targeted attacks.
For example, an adversary could deceive a victim into opening their website, detect the presence of a password manager, and prompt the user with a tailored phishing page to collect their master password. Alternatively, they could identify vulnerable extensions in a victim's browser and, successively, attempt to compromise their system or steal sensitive data.

On the benevolent side, legitimate websites can employ non-behavioural analysis to alert users about detected browser extensions known to be vulnerable or malicious, thus, improving their privacy and security. Additionally, non-behavioural analysis may help discern legitimate visitors from fabricated ones (i.e. bots) and improve intrusion detection by producing more detailed browser fingerprints.

Executing the analysis

Click on "Start Demonstration", select your preferred mode of execution, and wait for the analysis to complete.

We provide four modes of execution:

• Complete: surveys 26,574 vulnerable extensions out of (almost) all extensions available on the Chrome Web Store;
• Partial: surveys vulnerable extensions out of popularity-based groups: top 100, top 1k, top 10k. Extensions were assigned to each group based on the following metrics: rating count, download count, and rating score.

Understanding the analysis' results

Detected extensions are presented in a table containing the following information:

• Extension: the extension name and identifier;
• Web-Accessible Resource: the vulnerable resource and match pattern. The latter is shown only if Manifest Version 3 was used;
• Time to Detection: amount of time (in seconds) required to detect the extension, since the start of the demonstration.

Accessing the dataset and source code

The complete dataset can be downloaded at this link and includes information about ~111k extensions, ~108k crx archives, and ~1M web-accessible resources.

IPFS content identifier: bafybeiae47z4rei7ckxwsulql5s7p4txnv3ygwunvysimzcmfe4lbib2mu