Discovering Browser Extensions via Web Accessible Resources
Paper i proceeding, 2017

Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding unintended ones, e.g. extensions that hijack Facebook likes. Conversely, from the point of view of extensions, some websites are invasive, e.g. websites that bypass ad blockers. Motivated by security goals at clash, this paper explores browser extension discovery, through a non-behavioral technique, based on detecting extensions' web accessible resources. We report on an empirical study with free Chrome and Firefox extensions, being able to detect over 50% of the top 1,000 free Chrome extensions, including popular security- and privacy-critical extensions such as AdBlock, LastPass, Avast Online Security, and Ghostery. We also conduct an empirical study of non-behavioral extension detection on the Alexa top 100,000 websites. We present the dual measures of making extension detection easier in the interest of websites and making extension detection more difficult in the interest of extensions. Finally, we discuss a browser architecture that allows a user to take control in arbitrating the conflicting security goals.

Web security

Large-scale study

Browser extensions

Författare

Alexander Sjösten

Informationssäkerhet

Steven Van Acker

Informationssäkerhet

Andrei Sabelfeld

Informationssäkerhet

CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Applications Security and Privacy

329-336

Ämneskategorier

Data- och informationsvetenskap

DOI

10.1145/3029806.3029820

ISBN

978-1-4503-4523-1