The unpatched bug affects the utility system on Chrome, Firefox and Safari

Security researchers have discovered two bugs that affect the utility system embedded in current browsers such as Firefox, Safari and all things related to Chromium like Chrome, Opera .

Attackers can exploit these errors and get a list of the utilities (extensions) installed with 100% accuracy. This information can then be used to identify the user based on the installed utilities, exposing the actual user behind VPN or Tor services or for advertising-oriented purposes.

The first error affects the WebExtensions API which is widely used

Two researchers from Deusto University in Spain and Eurecom researcher from the French research center discovered these errors. The first error affected the utility system used on Chromium-based browsers such as Google Chrome, Opera, Yandex Browser and Comodo Dragon.

Error affecting multiple Chromium-based browsers

Similar utility system - WebExtensions API - is also used on newer versions of Firefox, Edge, Vivaldi and Brave. Researchers do not test these browsers but think they are also affected.

The WebExtensions API protects the browser from attackers getting information about the installed utility by accessing the settings as manifest.json file inside each utility. This file will prevent the website from checking the file inside the utility unless the manifest.json allows it.

Timer side channel attack on the WebExtensions add-on

The team said that they discovered 'timed side channel attack on setup authentication'. The browser uses Chromium WebExtensions API which takes longer to respond to requests from the website for files stored on the computer with a fake utility when compared to the real utility but the wrong path.

chrome-extension: // [fakeExtID] / [fakePath]
chrome-extension: // [realExtID] / [fakePath]

This allows researchers to deduce which utilities are installed on the browser by sending a series of double requests and recording the time the browser needs to respond. This works for Chrome, Opera, Yandex Browser and Comodo Dragon.

The add-on system on Firefox is also affected by the same error

Firefox is also affected, the current browser has moved from the old XML-based add-on API to Chromium-friendly WebExtensions API.

The researchers did not test because it was still in development but said that the old API add-on could still be hacked. Firefox also has special errors when requesting files from fake utilities.

Safari is affected by exposing URLs

The second error detected is called URL Leakage and affects the utility on Safari. They use the manifest.json file to restrict access to utility files. Instead, it generates random URLs for each session that only users can access while using the browser.

Researchers have figured out how to guess these random URLs. Tests showed that they could find 40.5% of the URL of the utility during the tests.

The error has not been resolved

'We have published all the findings and are discussing with developers of a number of browsers and utilities to find ways to fix them, in order to reduce these attacks on the current versions. and the future, 'the team said.

In a research report called Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies, they also detail how these errors are used for analysis for advertising purposes as well as for malicious applications.