7

Motivation

I want to develop a custom, local Firefox extension and investigate, if its installation has any impact on the browser fingerprint.

Background

Some time (years?) ago, there were articles advising against installing too many browser extensions, as they would make the browser client more identifiable and trackable by leveraging more unique fingerprints (if I remember correctly).

Today I gained more experience with JavaScript and its APIs in general, though still lacking knowledge about Firefox web extensions API to approve or falsify the mentioned articles' statement. After a bit of research, I cannot find any JavaScript API that would allow websites to read a list of my installed extensions or similar. amiunique.org also does not provide this information. Hence I would like to comprehend possible reasons for this advise (can't remember the source, sorry).

I guess, Mozilla in the meanwhile also had hardened its extensions API (was it v60?), which might make statements not comparable to status quo.

Questions

  1. As of today, is there any JavaScript API that allows reading the list of used/installed extensions, so websites could use this information to create a more unique fingerprint of my browser client?

  2. Does using a custom, locally developed (or more in general any) extension have an impact on the browser fingerprint?

  3. Have browser APIs been more "generous" in terms of querying installed extensions, so that this advice has made sense in the past?

bela53
  • 173
  • 4
  • 2
    I don't think it is possible to actually query the extensions but one can detect known extensions by traces they leave (see [How to Detect Browser Extensions](https://securityboulevard.com/2019/11/how-to-detect-browser-extensions-3/)) or by their specific behavior - like leaving "traps" which result in a behavior specific to the installed extension. Of course, it depends on what the extension is actually doing. – Steffen Ullrich Sep 25 '20 at 19:24
  • @SteffenUllrich Thanks, very interesting! I think, your comment posted as an answer would make a great addition to the question, if you want to. – bela53 Sep 26 '20 at 07:38

2 Answers2

5

There are no explicit APIs to enumerate the browser extensions. But this does not mean they are not detectable or that they cannot be included in the fingerprint even if the specific extension is not detected.

Browser extensions usually serve a purpose and this purpose can cause side effects, like manipulating the DOM (remove ads, change visual representation, enrich content with more additional information ...) or change the timing of operations. These side effects can be measured and can be included in the browser fingerprint. This can be done even if the specific extension is not known, i.e even the effect of private extensions can be included in the fingerprint.

Apart from that it might be possible to detect the existence of specific extension by probing their internal resources, see How to Detect Browser Extensions for details.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

While there's never been a list of installed extensions available to the site's code, years ago the browser provided an inerrable list of "plugins" called navigator.plugins. These aren't exactly the same as extensions as it's an older technology (eg. shockwave, quicktime, pdf), but some extensions added plugins to the list, and people often confuse the two.

At any rate, these lists have been decimated and are no longer useful to tell what's installed; they just list a few built-in common ones like Native Client and PDF handlers. The same with navigator.mimeTypes, which could reveal installed applications, outside the browser, like Word. These changes were made explicitly to provide privacy and reduce fingerprinting surfaces.

In short, there's nothing inherently revealing about an extension these days, other than possible side-effects (eg. ads don't load) and artifacts (eg. shortcut icons on form fields).

dandavis
  • 2,658
  • 10
  • 16