Firefox WebExtensions may be used to identify you on the Internet

[Batu69]

All modern web browsers leak extension information to sites if the sites run scripts to pull the information. We talked about the findings of a research term that published its findings recently in a paper.

 

Unless scripts are blocked, sites may run scripts that check the response time of the browser as it is different when checks are made for fake extensions and fake resources, and existing extensions and fake resources.

 

Firefox's situation is special, as it supports the legacy add-on system and the new WebExtensions system. The researcher tested the browser's legacy add-on system only, but suggested that Firefox's new system would also be vulnerable.

 

An anonymous reader pointed out that Firefox's WebExtensions system uses random IDs, and that this meant that the method to enumerate extensions would not work in that case (unlike in Chrome and other Chromium based browsers).

 

While that is correct, Mozilla's implementation introduces a new issue that allows sites to identify users if WebExtensions expose content to sites as the random IDs are permanent.

"... in particular, they [Mozilla] changed the initial scheme (moz-extension://[extID]/[path]) to moz-extension://[random-UUID]/[path]. Unfortunately, while this change makes indeed more difficult to enumerate user extensions, it introduces a far more dangerous problem. In fact, the random-UUID token can now be used to precisely fingerprint users if it is leaked by an extensions. A website can retrieve this UUID and use it to uniquely identify the user, as once it is generated the random ID never changes. We reported this design-related bug to Firefox developers as well."

If a site manages to get hold of the ID, it may track the Firefox installation as that ID never changes.

 

This is not just theoretical either; Earthling, one of the maintainers of the Ghacks Firefox user.js file, has created a proof of concept that highlights a leak in Firefox's native Screenshot tool.

 

While this particular example requires that users click on the screenshot button in the Firefox interface to make the unique ID available to the site, other extensions may expose content without user interaction.

 

 

Apple's Safari uses a random UUID system as well, and the researchers discovered that they could enumerate about 40% of all extensions as its implementation is flawed.

 

If the WebExtension exposes content to sites because they have implementation flaws, sites may fingerprint users based on the unique ID that gets exposed in the process.

Closing Words

Mozilla needs to rework the implementation to protect users of the browser from this. Even if you don't use WebExtensions at all, you may be vulnerable to this as Firefox ships with several system add-ons that may expose the ID to sites. (Thanks Pants and Earthling)

 

Article source

[snf]

It seems more and more.

It will have to abandoned :  Firefox.

 

[Phantomboxe]

1 hour ago, snf said:

It seems more and more.

It will have to abandoned :  Firefox.

 

just Dump Firefox to Recycle Bin along with George Soros, download Pale Moon browser instead.

[IronY-Man]

these days Im trying more and more firefox forks (pre-e10 fiasco) versions and those who have decided to move on their own from v53.....& so far I've tried Waterfox (not so good after v53) and now on Cyberfox v53(ESR forks) ...and its more promising than others !! Will get to Palemoon soon and then compare'em all  !!

[snf]

7 minutes ago, IronY-Man said:

these days Im trying more and more firefox forks (pre-e10 fiasco) versions and those who have decided to move on their own from v53.....& so far I've tried Waterfox (not so good after v53) and now on Cyberfox v53(ESR forks) ...and its more promising than others !! Will get to Palemoon soon and then compare'em all  !!

At the end .Don't forget ; wich one is the better fo you !

[knowledge-Spammer]

firefox what the hell are u doing  they must fix all the bad things they are doing  i feel i was right to say maybe have to stop useing firefox

[knowledge-Spammer]

8 hours ago, 0bin said:

knowledge try the esr as steven36 suggested me, then maybe we will switch to something else,

look for firefox folder, open it, there is a exe for telemetry called pingsender.exe

maybe 

i just do not like how firefox team are thinking  they going to f*** a good browser and for what ?

[dcs18]

Have shifted all my client machines to the Nightly, V56.

[steven36]

More info on this  .

https://github.com/ghacksuserjs/ghacks-user.js/issues/191

Even if you Use waterfox   you need the No Resource URI Leak (clone)

https://raw.githubusercontent.com/earthlng/testpages/master/no_resource_uri_leak-1.1.1-an%2Bfx%2Bsm%2Btb.xpi

Because of this 

https://browserleaks.com/firefox

 

Palemoon  really never leaks though it only gives out Default Locale and that's all .

 

 

They said they was going fix this  in v56

https://groups.google.com/d/msg/mozilla.dev.platform/00-1tT15mX0/TzUrOD93AAAJ

you can test nightly  at browser leaks  at the link i gave above too see if it still leaks.  

[steven36]

3 hours ago, IronY-Man said:

Cyberfox v53(ESR forks)

 Not no different than using  Firefox v53 ESR you still need  No Resource URI Leak from AMO   or it leaks .  Cyberfox  is full of bugs  i tested it again not long ago and uninstalled  it because of bugs . It has bugs in it Cyberfox has  and it has bugs that are in Firefox  Id much rather just use Firefox ESR  and deal  with  one set of bugs.. i use Waterfox  on Linux with No Resource URI Leak (clone) because it lets me use legacy addons and because there is no ppa or debs for ESR  like they are for Waterfox . But  there is no benefit  from using Cyberfox  it just causes me too have more bugs so on Windows I just use Firefox ESR  and Palemoon  ...

[IronY-Man]

3 hours ago, steven36 said:

 Not no different than using  Firefox v53 ESR you still need  No Resource URI Leak from AMO   or it leaks .  Cyberfox  is full of bugs  i tested it again not long ago and uninstalled  it because of bugs . It has bugs in it Cyberfox has  and it has bugs that are in Firefox  Id much rather just use Firefox ESR  and deal  with  one set of bugs.. i use Waterfox  on Linux with No Resource URI Leak (clone) because it lets me use legacy addons and because there is no ppa or debs for ESR  like they are for Waterfox . But  there is no benefit  from using Cyberfox  it just causes me too have more bugs so on Windows I just use Firefox ESR  and Palemoon  ...

Thanks for No Resource URI Leak from AMO...  @steven36, I've had read about it and then it slipped my mind....but as far as cyberfox bugs goes; Ive havent encountered much on this version and I was using ESR before this and Waterfox(and does it still allows legacy ones after v53 ? asking cos FF def. dropped the ball on most of them!! ) before that...& Ive had same problems on both with my addon set but not with Cyberfox....its most stable than both of those for now.....& you're already on palemoon...& does all legacy ones runs smooth on it ??

[steven36]

14 minutes ago, IronY-Man said:

Thanks for No Resource URI Leak from AMO...  @steven36, I've had read about it and then it slipped my mind....but as far as cyberfox bugs goes; Ive havent encountered much on this version and I was using ESR before this and Waterfox(and does it still allows legacy ones after v53 ? asking cos FF def. dropped the ball on most of them!! ) before that...& Ive had same problems on both with my addon set but not with Cyberfox....its most stable than both of those for now.....& you're already on palemoon...& does all legacy ones runs smooth on it ??

Palemoon  sort has its own addons  page now but some of the legacy ones still work for it from firefox   and  waterfox still most legacy addons and unsigned addons work fine  for it.   the guy from waterfox plans too start hosting legacy addons as well .Before long  i doubt you will be able too get them at amo anymore .  Cyberfox  is dead in the water in 2018  anyway.

[Undertaker]

Although this problem is not limited to the screenshots extension only but it's good to disable it.

 

Also, the Resource URI leak has been fixed in latest Nightly build : https://www.reddit.com/r/firefox/comments/6wud0j/benign_resource_uri_leak_fixed_in_nightly/

Somebody even posted a proof on wilders: https://www.wilderssecurity.com/threads/firefox-57-an-overview-of-whats-new-with-resources.396305/page-3#post-2702939

 

 

[Vakdan]

4 hours ago, Undertaker said:

Although this problem is not limited to the screenshots extension only but it's good to disable it.

If I just remove the screenshot icon isn't enough?

[Undertaker]

1 hour ago, vlefteriss said:

If I just remove the screenshot icon isn't enough?

Yeah that won't be enough, you will have to dig in the about:config preferences, find entries for screenshots extension and disable it from there.

[dcs18]

1 hour ago, vlefteriss said:

5 hours ago, Undertaker said:

Although this problem is not limited to the screenshots extension only but it's good to disable it.

If I just remove the screenshot icon isn't enough?

Anyways, the Firefox screenshot tool is inadequate — it's better to disable it completely (as follows) and use a full-fledged, standalone screenshot tool, instead:—

("extensions.screenshots.disabled", true);

("extensions.screenshots.system-disabled", true);

[Phantomboxe]

Mozilla to test opt-out telemetry collection in Firefox

[steven36]

On 8/31/2017 at 9:10 PM, Phantomboxe said:

Mozilla to test opt-out telemetry collection in Firefox

I 1st read about this here 

https://www.reddit.com/r/privacy/comments/6vb44j/firefox_considering_anonymously_collecting/

Witch it want never effect me on Linux i just use a fork of Firefox  and once 52  ESR  is over i plain too  just use a fork again  on windows like i use too back some years ago.  

[snf]

16 hours ago, steven36 said:

Witch it want never effect me on Linux i just use a fork of Firefox  and once 52  ESR  is over i plain too  just use a fork again  on windows like i use too back some years ago.

I folow you advice.

I do this ; change firefox 55 for 52ESR for windows

It's easy 2 min.

Keep old profil 55 ; and add in instal directory of 52 ESR

Now i'm sheltered from this track ?