We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.
But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.
The fact that the website is doing this is a bigger problem than the browser not preventing it. If someone breaks into a house, it's the burglar who is prosecuted, not the company that made the door.
If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?
The best solution is a layered defense: laws that prohibit this behavior by the website and browsers that protect you against bad actors who ignore the law.
First, I think it’s a major issue that Chrome is allowing websites to check for installed extensions.
With that said, scanning LinkedIn’s private network is not analogous to what is going on here. As problematic as it is, they’re getting information isolated to the browser itself and are not crossing the boundary to the rest of the OS much less the rest of the internal network.
Problematic for privacy? Yes. Should be locked down? Yes. But also surprisingly similar to other APIs that provide information like screen resolution, installed fonts, etc. Calling those APIs is not illegal. I’m curious to know what the technical legal ramifications are of calling these extension APIs.
If a company leaks my sensitive data, I get some nice junkmail offering me some period of time of credit monitoring or whatever so what are browsers doing to prevent this?
The issue should never be 'We want entities to have this data but only use it in some constrained and arbitrary manner that we can't even agree about it's definition.' instead 'This data shouldn't be made available to X'
This is blatant misinformation. Firefox (and all of its derivatives) also does this.
That can only happen if the extension itself leaks it to the web page and if that happens, scanning isn't necessary since it already leaked what it is to the webpage. It also doesn't tell you what extension it is, unless again, the extension leaks it to the webpage.
The attack on Chrome is far more useful for attackers as web pages can scan using the chrome store's extension ID instead.
Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.
Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).
The bad guy here is google. And the people that champion data collection by private companies because of free market == good.
1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.
2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)
It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.
The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.
Big +1 to that.
The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.
The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.
This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.
The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.
uBlock Origin Lite (compatible w/ ManifestV3) works quite well for me, I do not see any ads wherever I browse.
This is better than forcing the extension to announce it's presences on every web site.
For other capabilities, like BlueTooth API, rather than querying the browser, assume that the browser can do it and then have the browser inform the user that the site is attempting to use an unsupported API.
I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.
Of course Google is going to back door their browser.
> Of course Google is going to back door their browser.
Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).