Discovering Browser Extensions via Web Accessible Resources
Paper in proceeding, 2017

Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding unintended ones, e.g. extensions that hijack Facebook likes. Conversely, from the point of view of extensions, some websites are invasive, e.g. websites that bypass ad blockers. Motivated by security goals at clash, this paper explores browser extension discovery, through a non-behavioral technique, based on detecting extensions' web accessible resources. We report on an empirical study with free Chrome and Firefox extensions, being able to detect over 50% of the top 1,000 free Chrome extensions, including popular security- and privacy-critical extensions such as AdBlock, LastPass, Avast Online Security, and Ghostery. We also conduct an empirical study of non-behavioral extension detection on the Alexa top 100,000 websites. We present the dual measures of making extension detection easier in the interest of websites and making extension detection more difficult in the interest of extensions. Finally, we discuss a browser architecture that allows a user to take control in arbitrating the conflicting security goals.

Web security

Browser extensions

Large-scale study

Author

Alexander Sjösten

Information Security

Steven Van Acker

Information Security

Andrei Sabelfeld

Information Security

CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Applications Security and Privacy

329-336
978-1-4503-4523-1 (ISBN)

7th ACM Conference on Data and Applications Security and Privacy, CODASPY 2017
Scottsdale, USA,

Subject Categories

Computer and Information Science

DOI

10.1145/3029806.3029820

More information

Latest update

8/27/2018