Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks
Paper in proceeding, 2019
Browser extensions enable rich experience for the users of today's web. Being
deployed with elevated privileges, extensions are given the power to overrule
web pages. As a result, web pages often seek to detect the installed extensions,
sometimes for benign adoption of their behavior but sometimes as part of
privacy-violating user fingerprinting.
Researchers have studied a class of attacks that allow detecting extensions by
probing for Web Accessible Resources (WARs) via URLs that include public
extension IDs.
Realizing privacy risks associated with WARs, Firefox has recently moved to
randomize a browser extension's ID, prompting the Chrome team to plan for
following the same path.
However, rather than mitigating the issue, the randomized IDs can in fact
exacerbate the extension detection problem, enabling attackers to use a
randomized ID as a reliable fingerprint of a user.
We study a class of extension revelation attacks, where extensions reveal
themselves by injecting their code on web pages.
We demonstrate how a combination of revelation and probing can uniquely identify
90% out of all extensions injecting content, in spite of a randomization scheme.
We perform a series of large-scale studies to estimate possible implications of
both classes of attacks.
As a countermeasure, we propose a browser-based mechanism that enables control
over which extensions are loaded on which web pages and present a proof of
concept implementation which blocks both classes of attacks.
deployed with elevated privileges, extensions are given the power to overrule
web pages. As a result, web pages often seek to detect the installed extensions,
sometimes for benign adoption of their behavior but sometimes as part of
privacy-violating user fingerprinting.
Researchers have studied a class of attacks that allow detecting extensions by
probing for Web Accessible Resources (WARs) via URLs that include public
extension IDs.
Realizing privacy risks associated with WARs, Firefox has recently moved to
randomize a browser extension's ID, prompting the Chrome team to plan for
following the same path.
However, rather than mitigating the issue, the randomized IDs can in fact
exacerbate the extension detection problem, enabling attackers to use a
randomized ID as a reliable fingerprint of a user.
We study a class of extension revelation attacks, where extensions reveal
themselves by injecting their code on web pages.
We demonstrate how a combination of revelation and probing can uniquely identify
90% out of all extensions injecting content, in spite of a randomization scheme.
We perform a series of large-scale studies to estimate possible implications of
both classes of attacks.
As a countermeasure, we propose a browser-based mechanism that enables control
over which extensions are loaded on which web pages and present a proof of
concept implementation which blocks both classes of attacks.
large-scale studies
fingerprinting
browser extensions
privacy
web security
Author
Alexander Sjösten
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Steven Van Acker
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Pablo Picazo-Sanchez
Chalmers, Computer Science and Engineering (Chalmers), Formal methods
Andrei Sabelfeld
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Proceedings 2019 Network and Distributed System Security Symposium
1-891562-55-X (ISBN)
The Network and Distributed System Security Symposium
San Diego, USA,
San Diego, USA,
Areas of Advance
Information and Communication Technology
Subject Categories
Computer and Information Science
DOI
10.14722/ndss.2019.23309
ISBN
189156255X