Browser Plugin Oversharing

Do you know what that browser plugin is doing?

There’s a browser plugin for just about everything. You can find one to change the name of your least-favorite politician into something offensive on every page you visit. There are malware blockers and password managers. Gail covered one to make PGP a little easier not too long back on this very blog.

The thing they all do, though, is they operate inside your browser. The web browser may well have displaced the medical exam room on the list of places where it’s hardest to hide something. Even when you want to do something privately online – when you delete your cookies or use incognito mode, or a search engine that promises not to track you – you still use a browser to find what you’re looking for. Your browser is in a position to know an awful lot about you, and plugins can know anything the browser knows.

So, when you find one that looks helpful, it’s worth a look to see what it’s actually doing with all the information you make available to it. Sometimes they do more than you’d expect.

On webapp tests, I sometimes use one called Wappalyzer to quickly identify what third-party components are involved in a website. It shows logos in the address bar to tell you what it’s found.

Look at all that stuff from the newspaper!

The installation page describes in general what the plugin does, and links to a FAQ. The last question in the FAQ tells you that the extension sends “anonymous information about websites you visit to wappalyzer.com,” and describes pretty clearly what that information is, and what it’s used for. You had to know it would do something like that. And you can opt out, so it’s all on the up and up so far.

Anyhow, I wondered what exactly might get sent back to them, and whether that might include confidential information about the sites I test for our customers.

So did some aimless browsing on both public sites and internal sites on my own network, while capturing traffic in BurpSuite. As I went, I noticed occasional POST requests to a Wappalyzer URL that had a single large JSON object in the postdata.

Hey, what’s all that?

Speaking of plugins, there’s one called JSBeautifier for BurpSuite, which makes that kind of data far more readable:

Decoded post data

This accurately shows that I was on Reddit and clicked a link that took me to Walmart. It also doesn’t include the actual path I was on at either location, which is in line with their description. This doesn’t say exactly what I was looking at in either place, but it does say where I started, where I went, and when I did it (startTime is a Unix epoch timestamp).

Farther down, it shows the full URLs to some components. Some of these are the things it’s looking for to show me with those icons in the address bar. Most are generic URLs, but some have random-looking strings in them, which may (or may not) be user-specific.

Above: Some generic JS my browser picked up from Google

Above: A less-generic URL to doubleclick

That doubleclick.net URL is 1,580 characters long, and it includes some pretty specific information about me, including my physical location down to the ZIP code (probably by reverse IP lookup), the web browser I’m using, a few parameters that are GUIDs (globally-unique identifiers, which could be specific to me or not), and … the full URL of the page I was on at Walmart at the time.

That’s a full URL…

This contradicts what Wappalyzer says in their FAQ (https://wappalyzer.com/faq):

Wappalyzer FAQ Excerpt

Now, given how deeply that was buried, and that the thing they collected was not a URL I actively visited, but one that was added by a tracker on a site that I visited, this may be an oversight on Wappalyzer’s part. But it pretty clearly does include a full URL, and enough other information to fairly uniquely identify me – visited hosts, ZIP code, timestamp, and browser user-agent. And then we have those GUIDs, which may (or may not) identify me alone.

The other question was about non-public sites I’d visit. I often test sites on a customer’s intranet, or sites that are only available by VPN or otherwise shouldn’t be publicly disclosed. How could Wappalyzer possibly identify those and exclude them? Their FAQ doesn’t mention this at all, so my assumption was that these more sensitive locations wouldn’t get any special treatment. And it turned out that even the most obviously “not public” site of all – localhost – is included in the message.

Internal Site Included

This one doesn’t include any real path information: that string of digits doesn’t point to anything on my localhost web server. But it does disclose the internal hostname, the date & time I visited it, and the fact that it exists. All of that may be more than a customer would like me to reveal to a third party.

My takeaways from this little exercise:

  1. I need to remove this plugin before testing anything non-public.
  2. The privacy measures described in the FAQ are not completely in force.
  3. Browser plugins sit in a very privileged place, and should be chosen with great care.