{"id":13553194,"url":"https://github.com/z0ccc/extension-detector","last_synced_at":"2025-04-05T04:12:53.598Z","repository":{"id":37243068,"uuid":"500963621","full_name":"z0ccc/extension-detector","owner":"z0ccc","description":"Check how trackable you are based on your browser extensions. ","archived":false,"fork":false,"pushed_at":"2023-09-25T01:23:16.000Z","size":1253,"stargazers_count":534,"open_issues_count":0,"forks_count":33,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-10-14T06:49:42.520Z","etag":null,"topics":["brave","browser-extension","browser-fingerprint","chrome","chrome-extension","fingerprint","fingerprinting","javascript","privacy","react","tracking"],"latest_commit_sha":null,"homepage":"https://z0ccc.github.io/extension-detector","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/z0ccc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-06-07T18:42:16.000Z","updated_at":"2024-10-13T11:49:08.000Z","dependencies_parsed_at":"2024-04-07T22:45:24.315Z","dependency_job_id":null,"html_url":"https://github.com/z0ccc/extension-detector","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z0ccc%2Fextension-detector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z0ccc%2Fextension-detector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z0ccc%2Fextension-detector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z0ccc%2Fextension-detector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/z0ccc","download_url":"https://codeload.github.com/z0ccc/extension-detector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247284951,"owners_count":20913704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brave","browser-extension","browser-fingerprint","chrome","chrome-extension","fingerprint","fingerprinting","javascript","privacy","react","tracking"],"created_at":"2024-08-01T12:02:19.403Z","updated_at":"2025-04-05T04:12:53.457Z","avatar_url":"https://github.com/z0ccc.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# Extension Detector\n\nCheck it out here: https://z0ccc.github.io/extension-detector\n\nChrome extensions can be detected by fetching their web accessible resources. These are files inside an extension that can be accessed by web pages. The detected extensions can be used to track you through browser fingerprinting.\n\nThis website scans over 1000 extensions and shows you the percentage of users that share the same extensions.\n\n## Browser Fingerprinting\n\nBrowser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, time zone, language, screen resolution and various other active settings.\n\nThese data points might seem generic at first and don’t necessarily look tailored to identify one specific person. However, there’s a significantly small chance for another user to have 100% matching browser information.\n\nWebsites use the information that browsers provide to identify unique users and track their online behavior. This process is therefore called “browser fingerprinting.”\n\nhttps://pixelprivacy.com/resources/browser-fingerprinting/\n\n## Web Accessible Resources\n\nWeb-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension's bundle can be made web accessible.\n\nBy default no resources are web accessible; only pages or scripts loaded from an extension's origin can access that extension's resources. Extension authors can use the web_accessible_resources manifest property to declare which resources are exposed and to what origins.\n\n### Manifest v2 declaration\n\n```\n  \"web_accessible_resources\": [\n    \"test1.png\",\n    \"test2.png\".\n  ]\n```\n\n### Manifest v3 declaration\n\n```\n  \"web_accessible_resources\": [\n    {\n      \"resources\": [ \"test1.png\", \"test2.png\" ],\n      \"matches\": [ \"\u003call_urls\u003e\" ]\n    }\n  ],\n```\n\nLuckly in manifest v3 extensions will be able to enable 'use_dynamic_url' option, which will change the resource URL for each session (browser restart). This will render this detection method unusable.\n\nhttps://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/\n\n## Detecting Extensions\n\n### Fetching web accessible resources\n\nA webpage can successfully fetch an installed extensions web accessible resource. If the fetch fails it usually means that the extension is not installed.\n\n```\nfetch(`chrome-extension://okbilfbeogweaoehlefnkodbefgpgknn/test.png`)\n      .then(() =\u003e (true))\n      .catch(() =\u003e (false))\n```\n\n### Resource timing comparison\n\nIn an effort to prevent detection some extensions will generate a secret token thats required to access their web accessible resources. Any fetch operation made without the secret token will result in failure. Although its much more difficult to detect these protected extensions, its still possible.\n\nResources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed.\n\n### MetaMask\n\nAlthough MetaMask has no web accessible resources, it can still be easily detected by checking if `typeof window.ethereum` equals `undefined`. This will not work on Brave as `typeof window.ethereum !== 'undefined'` will return true regardless of whether the extension is installed or not.\n\n```\n  if (typeof window.ethereum !== 'undefined' \u0026\u0026 !navigator.brave) {\n    return true;\n  }\n  return false;\n```\n\n### Firefox\n\nDetecting extensions using web accessible resources is not possible on Firefox as Firefox extension ID's are unique for every browser instance. Therefore the URL of the extension resources cannot be known by third parties.\n\n### Edge\n\nThis scan only detects extensions from the Chrome Web Store. Extensions from https://microsoftedge.microsoft.com can be detected using the same methods but are not supported by this tool.\n\n## Dev\n\nThis application is built with Javascript and React.\n\nClone this repo and run these commands to start the development server.\n\n```\nyarn\nyarn run start\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz0ccc%2Fextension-detector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fz0ccc%2Fextension-detector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz0ccc%2Fextension-detector/lists"}