HMAC and “secure preferences”: Revisiting chromium-based browsers security
Paper i proceeding, 2020

Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as adding/removing some lines from a plain text file called Secure Preferences file automatically created by Chromium the first time it was launched. Concretely, Google introduced a security mechanism based on a cryptographic algorithm named Hash-based Message Authentication Code (HMAC) to avoid users and applications other than the browser modifying the Secure Preferences file. This paper demonstrates that it is possible to perform browser hijacking, browser extension fingerprinting, and remote code execution attacks as well as silent browser extensions (un)installation by coding a platform-independent proof-of-concept changeware that exploits the HMAC, allowing for free modification of the Secure Preferences file. Last but not least, we analyze the security of the four most important Chromium-based browsers: Brave, Chrome, Microsoft Edge, and Opera, concluding that all of them suffer from the same security pitfall.


Web security




Pablo Picazo-Sanchez

Chalmers, Data- och informationsteknik, Informationssäkerhet

Gerardo Schneider

Chalmers, Data- och informationsteknik, Formella metoder

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Informationssäkerhet

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 12579 107-126
9783030654108 (ISBN)

19th International Conference on Cryptology and Network Security, CANS 2020
Vienna, Austria,



Datavetenskap (datalogi)




Mer information

Senast uppdaterat