Take my (plugin) data, please

Following up on my previous post regarding all ways various third-parties could leverage features of your web browser to gain access to your surfing habits and track you, I decided to give a look into our production logs to get a feel for how certain types of user data is going out the door.

For today, I thought I would focus on who is collecting browser information--namely browser plugin information that is sent back to a server within URL query parameter data. This typically involves using Javascript to enumerate the contents of the navigator.plugins array, which contains a list of installed plugins for non-Internet-Explorer browsers. The enumeration loop composes a string list of all found plugin names, and is then included in a subsequent request URL parameter.

First I wound up searching for requests containing the string "Mozilla%20Default%20Plug-in", which is the string name of the plugin that ships with many Firefox-based browsers. It also has very little chance of being a false positive. Through logs stretching over the first half of May I found over 56,000 requests containing my target plugin string. I then grouped and ordered the requests per host. Overall, those 56,000 requests belonged to only 1056 hosts, of which nearly half (502) were sub-domained off Omniture's .2o7.net domain. Some interesting hostnames in the overall list include z.digg.com, ostats.mozilla.com, mtrics.cdc.gov, a.consumerreports.org, metrics.npr.org, stumbleupon.stumble-upon.com, a.ncbi.nlm.nih.gov, www.ac.vic.gov.au, metrics.aarp.org, and stateofgeorgia.122.2o7.net.

Next I thought I would see what other plugins were popular. Since Omniture uses a consistent URL request format, and composes a bulk of the requests, I decided to process through the logs pulling plugin usage data out of requests to Omniture and tabulate plugin usage counted on a per-client-IP basis. The most popular plugins, in order, were:

Mozilla Default Plug-in
Shockwave Flash
Adobe Acrobat
Windows Media Player Plug-in Dynamic Link Library
Microsoft Office 2003
iTunes Application Detector
Microsoft DRM
Shockwave for Director
Java TM Platform SE 6 U13
Citrix ICA Client
Windows Presentation Foundation
2007 Microsoft Office system
QuickTime Plug-in 7.6
RealPlayer tm G2 LiveConnect-Enabled Plug-In 32-bit
RealPlayer Version Plugin
Silverlight Plug-In
RealJukebox NS Plugin
Google Update
QuickTime Plug-in 7.5.5
Move Media Player
Java TM Platform SE 6 U7
DivX Web Player
Java TM Platform SE 6 U11
MetaStream 3 Plugin
ActiveTouch General Plugin Container
Google Updater
DivX Player Netscape Plugin
Microsoft Windows Media Player Firefox Plugin
Picasa
Java TM Platform SE 6 U5
QuickTime Plug-in 7.2
Java TM Platform SE 6 U2
Turner Media Plugin 1.0.0.10
Microsoft Office Live Plug-in for Firefox
getPlus for Adobe 15235
VMware Remote Console Plug-in
Java TM Platform SE 6 U3
getPlus for Adobe 15229
Avocent DSView Session Launcher Plugin

It's no surprise that Flash, Acrobat, etc. would be at the top of the list. Keep in mind that attackers are actively targeting web browser plugins; the above list should help get the point across that there is no shortage of targets out there. And it should also illustrate that sometimes things are being plugged in to browsers that you wouldn’t otherwise expect. For example, did you know that Microsoft Office installs a browser plugin? It's always worthwhile to understand the attack surface you are exposing to the Internet.

Until next time,
- Jeff