All modern web browsers leak extension information to sites if the sites run scripts to pull the information. We talked about the findings of a research term that published its findings recently in a paper.

Unless scripts are blocked, sites may run scripts that check the response time of the browser as it is different when checks are made for fake extensions and fake resources, and existing extensions and fake resources.

Firefox's situation is special, as it supports the legacy add-on system and the new WebExtensions system. The researcher tested the browser's legacy add-on system only, but suggested that Firefox's new system would also be vulnerable.

An anonymous reader pointed out that Firefox's WebExtensions system uses random IDs, and that this meant that the method to enumerate extensions would not work in that case (unlike in Chrome and other Chromium based browsers).

While that is correct, Mozilla's implementation introduces a new issue that allows sites to identify users if WebExtensions expose content to sites as the random IDs are permanent.

"... in particular, they [Mozilla] changed the initial scheme (moz-extension://[extID]/[path]) to moz-extension://[random-UUID]/[path]. Unfortunately, while this change makes indeed more difficult to enumerate user extensions, it introduces a far more dangerous problem. In fact, the random-UUID token can now be used to precisely fingerprint users if it is leaked by an extensions. A website can retrieve this UUID and use it to uniquely identify the user, as once it is generated the random ID never changes. We reported this design-related bug to Firefox developers as well."

If a site manages to get hold of the ID, it may track the Firefox installation as that ID never changes.

This is not just theoretical either; Earthling, one of the maintainers of the Ghacks Firefox user.js file, has created a proof of concept that highlights a leak in Firefox's native Screenshot tool.

While this particular example requires that users click on the screenshot button in the Firefox interface to make the unique ID available to the site, other extensions may expose content without user interaction.

https://cdn.ghacks.net/wp-content/up...andom-uuid.jpg


Apple's Safari uses a random UUID system as well, and the researchers discovered that they could enumerate about 40% of all extensions as its implementation is flawed.

If the WebExtension exposes content to sites because they have implementation flaws, sites may fingerprint users based on the unique ID that gets exposed in the process.

Closing Words


Mozilla needs to rework the implementation to protect users of the browser from this. Even if you don't use WebExtensions at all, you may be vulnerable to this as Firefox ships with several system add-ons that may expose the ID to sites.