Hardening the security analysis of browser extensions
Paper i proceeding, 2022

Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files.

browser extensions

web security

Författare

Benjamin Eriksson

Chalmers, Data- och informationsteknik, Informationssäkerhet

Pablo Picazo-Sanchez

Chalmers, Data- och informationsteknik, Informationssäkerhet

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Informationssäkerhet

Proceedings of the ACM Symposium on Applied Computing

1694-1703
9781450387132 (ISBN)

37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022
Virtual, Online, ,

Ämneskategorier

Språkteknologi (språkvetenskaplig databehandling)

Datavetenskap (datalogi)

Datorsystem

DOI

10.1145/3477314.3507098

Mer information

Senast uppdaterat

2024-01-03