HMAC and “secure preferences”: Revisiting chromium-based browsers security
Paper in proceeding, 2020

Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as adding/removing some lines from a plain text file called Secure Preferences file automatically created by Chromium the first time it was launched. Concretely, Google introduced a security mechanism based on a cryptographic algorithm named Hash-based Message Authentication Code (HMAC) to avoid users and applications other than the browser modifying the Secure Preferences file. This paper demonstrates that it is possible to perform browser hijacking, browser extension fingerprinting, and remote code execution attacks as well as silent browser extensions (un)installation by coding a platform-independent proof-of-concept changeware that exploits the HMAC, allowing for free modification of the Secure Preferences file. Last but not least, we analyze the security of the four most important Chromium-based browsers: Brave, Chrome, Microsoft Edge, and Opera, concluding that all of them suffer from the same security pitfall.

Chromium

Web security

Changeware

HMAC

Author

Pablo Picazo-Sanchez

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Gerardo Schneider

Chalmers, Computer Science and Engineering (Chalmers), Formal methods

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 12579 107-126
9783030654108 (ISBN)

19th International Conference on Cryptology and Network Security, CANS 2020
Vienna, Austria,

Subject Categories

Computer Engineering

Computer Science

Computer Systems

DOI

10.1007/978-3-030-65411-5_6

More information

Latest update

1/8/2021 1