Security researchers in Europe have discovered a pair of flaws that relate to modern web browsers’ extension system. Exploiting these flaws would allow a patient and determined hacker to determine with absolute accuracy of what extensions any given user is making use of.
While not as critical of a flaw as some of the others we’ve seen in recent months, this information could still be used to create highly accurate user profiles. This would allow hackers to create custom-tailored phishing attacks and landing pages that a given subset of users who had a certain set of browser extensions installed would be more likely to click on or investigate, thus falling into the hackers’ trap.
It should be noted that these two flaws appear in all of the popular web browsers in use today, including Firefox, Safari, Chrome, Opera, Microsoft Edge and others, so this is something that impacts the vast bulk of the world’s internet users.
All of these browsers use the same extension system, “WebExtensions API,” so the vulnerability is truly global in scope and scale.
Unfortunately, there’s not currently an ETA for a fix for the issue. The researchers approached all of the major browser makers to report the issue, but so far, none of the companies behind those products have responded with a firm plan for fixing the security flaw.
In part, this is because they’re all mired in the constant battle to close critical security loopholes, and this one just doesn’t quite measure up. It is nonetheless disconcerting that literally none of the major browser makers have plans that they’ve shared regarding this particular issue.
Unfortunately, there’s no practical defense against this for the time being. The only way to be sure you’re not being tracked in this manner is to simply stay off the web entirely, which just isn’t going to work for most people.
When the situation changes and at least one company has a plan on the table for fixing the issue, we’ll undoubtedly have more to say on the matter.