The Stealth Oracle: How “Safe” Chrome Extensions Can Reconstruct Your Private URLs Character by Character

A sophisticated technique has been unearthed within Chrome that permits the exfiltration of the complete URL from any active tab, even by an extension explicitly denied access to tabs or website content. This vulnerability leverages the declarativeNetRequest permission—a mandate traditionally viewed as benign due to its focus on request filtering rather than direct DOM manipulation. However, a researcher has demonstrated that this permission is sufficient to facilitate a character-by-character reconstruction of a page’s address by exploiting temporal discrepancies between blocked and permitted network requests.

The crux of the exploit resides in the declarativeNetRequest API, which empowers extensions to institute dynamic rules that intercept requests based on specific patterns, including regular expressions. Within the Chromium engine, a blocked request is terminated instantaneously, returning a net::ERR_BLOCKED_BY_CLIENT error with virtually zero latency. Conversely, if a rule fails to trigger, the browser initiates a standard network connection, which incurs a significantly longer duration. This temporal variance serves as an “oracle,” providing the side-channel information necessary for the extension to infer the URL’s structure.

Data indicates that a successful block results in a response time of approximately 10–30 milliseconds, whereas a failed match forces the browser into a network cycle lasting 50–100 milliseconds or more. To measure this effect without tabs permissions, the extension utilizes two rudimentary mechanisms: it invokes chrome.tabs.reload to initiate a refresh and listens for the complete status in the chrome.tabs.onUpdated event. By timing the interval between the reload and the completion event, the extension discerns whether the browser encountered a rule-based blockade or a genuine network load.

The remainder of the process is a mathematical exercise. The extension crafts a dynamic rule with a regular expression tailored to a specific character position in the URL. If the browser responds “rapidly,” the extension confirms that the character at that index resides within a defined subset of values. By iterating this test and employing a binary search across the character set, the adversary can reconstitute the entire URL in remarkably few steps. A demonstration video, repro.mp4, illustrates the URI appearing character by character within the console.

The peril of this methodology lies in its stealth; it requires no user interaction and offers no overt indices of compromise. An extension could clandestinely harvest sensitive data from the address bar, including OAuth codes, session identifiers, and API keys embedded in query strings. Furthermore, links to private or “unlisted” materials—such as those on YouTube, Google Drive, or Dropbox—alongside password reset tokens and confidential search queries (medical or financial) are all vulnerable. The extraction can even be obscured by minimizing the browser window or relegating it to the background.

Initial regression analysis has traced the emergence of this vulnerability to Chromium revisions 718858–718878, specifically identifying commit 1539dcc as the point where regex evaluation was integrated into the declarativeNetRequest rules. However, the researcher suggests that analogous techniques might be adaptable for even earlier iterations, possibly dating back to the introduction of the Dynamic Rules API.

The vulnerability was verified on Windows 11 24H2 and reproduced across several Chrome branches, including Stable (144.0.7559.97), Beta, Dev, and Canary. The reproduction scenario is alarmingly straightforward: a tester simply loads a manifest and a background script, opens a sensitive URL, and observes the character-by-character extraction within the service worker’s developer tools.