Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions

Users have come to rely on browser extensions to realize features that are not implemented by browser vendors. Extensions offer users the ability to, among others, block ads, de-clutter websites, enrich pages with third-party content, and take screenshots. At the same time, because of their privileged position inside a user's browser, extensions have access to content and functionality that is not available to webpages, such as, the ability to conduct and read cross-origin requests, as well as get access to a browser's history and cookie jar. In this paper, we report on the first large-scale study of privacy leakage enabled by extensions. By using dynamic analysis and simulated user interactions, we investigate the leaking happening by the 10,000 most popular browser extensions of Google Chrome and find that a non-negligible fraction leaks sensitive information about the user's browsing habits, such as, their browsing history and search-engine queries. We identify common ways that extensions use to obfuscate this leakage and discover that, while some leakage happens on purpose, a large fraction of it is accidental because of the way that extensions attempt to introduce third-party content to a page's DOM. To counter the inference of a user's interests and private information enabled by this leakage, we design, implement, and evaluate BrowsingFog, a browser extension that automatically browses the web in a way that conceals a user's true interests, from a vantage point of history-stealing, third-party trackers.

[1]  Narseo Vallina-Rodriguez,et al.  Haystack: In Situ Mobile Traffic Analysis in User Space , 2015, ArXiv.

[2]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[3]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[4]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[5]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[6]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[7]  References , 1971 .

[8]  William K. Robertson,et al.  CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities , 2016, NDSS.

[9]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[10]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[11]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Hailin Wu,et al.  The privacy practices of Web browser extensions , 2001, CACM.

[13]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[15]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.

[16]  Niels Provos,et al.  Trends and Lessons from Three Years Fighting Malicious Extensions , 2015, USENIX Security Symposium.

[17]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[18]  Wouter Joosen,et al.  Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets , 2014, AsiaCCS.

[19]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[20]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[21]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[22]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[23]  Nick Nikiforakis,et al.  Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms , 2016, Proc. Priv. Enhancing Technol..

[24]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.