Detecting uBlock origin via a timing side-channel

chrome extensions are bad, use firefox

I recently found a neat trick to check for the presence of Chrome extensions in a user's browser.

Chrome extensions often need to expose files to webpages (images, fonts, etc.) to webpages. These assets are listed in the extension's manifest.json file under the web_accessible_resources key.

These assets then become available via the chrome-extension:// URI, e.g. chrome-extension://<extension-id>/path/to/file.jpg

In manifest v2, these assets are available to any webpage. This means any extension with web_accessible_resources can be detected by a webpage. You could hypothetically fingerprint users by scanning for the presence of all every extension with web_accessible_resources. Which, by the way, almost every major extension has a few.

However, in the recently introduced manifest v3, a developer can specify which hosts are allowed to read the assets. This is superior for security, as it prevents an arbitrary site from easily being able to enumerate your extensions.

uBlock origin has some web_accessible_resources that it requires to be accessible to all origins, but it attempts to prevent them from being read via a network listener that blocks the request unless it contains a "secret token". However, this is easily detectable via timing as the network listener takes a significant amount of extra time to intercept the request :)

POC Code:

POC Site: