New JavaScript Disclose Google Chrome Extensions

Security researcher have posted a JavaScript code which allows any person to check list of Google chrome extension installed on the browser, the code can be used on any website to check visitors list of plugins and as a result disclose many sensitive information that can be used by attacker.

The technique used by Krzysztof Kotowicz to detect adds on is as follows : ”Every addon has a manifest.json file. In http[s]:// page you can try to load a script cross-scheme from chrome-extension:// URL, in this case – the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and onload event will fire. If not – onerror event is there for you. 

According to latest statistic Google chrome is just in the second place in term of online usage and it is expanding to be the first widely used browser in the future,  It is the fastest navigator and with those extensions may allow a penetration tester to conduct web application security assessment directly from google chrome.

You can find the code and post by following this link.

Share
You can leave a response, or trackback from your own site.