论文信息 - Privacy Leakage Attacks in Browsers by Colluding Extensions

Privacy Leakage Attacks in Browsers by Colluding Extensions

Browser Extensions (BE) enhance the core functionality of the Browser and provide customization to it. Browser extensions enjoy high privileges, sometimes with the same privileges as Browser itself. As a consequence, a vulnerable or malicious extension might expose Browser and system resources to attacks. This may put Browser resources at risk of unwanted operations, privilege escalation etc. BE can snoop on web applications, launch arbitrary processes, and even access files from host file system. In addition to that, an extension can even collude with other installed extensions to share objects and change preferences. Although well-intentioned, extension developers are often not security experts. Hence, they might end up writing vulnerable code. In this paper we present a new attacks via Browser extensions. In particular, the attack allows two malicious extensions to communicate and collaborate with each other in such a way to achieve a malicious goal. We identify the vulnerable points in extension development framework as: (a) object reference sharing, and (b) preference overriding. We illustrate the effectiveness of the proposed attack using various attack scenarios. Furthermore, we provide a proof-of-concept illustration for web domains including Banking & shopping. We believe that the scenarios we use in use-case demonstration underlines the severity of the presented attack. Finally, we also contribute an initial framework to address the presented attack.

[1] V. N. Venkatakrishnan,et al. Extensible Web Browser Security , 2007, DIMVA.

[2] Pavel Laskov,et al. Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[3] Vinod Ganapathy,et al. Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[4] Nattakant Utakrit. Review of Browser Extensions, a Man-in-the-Browser Phishing Techniques Targeting Bank Customers , 2009 .

[5] Marianne Winslett,et al. Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[6] Kevin Curran,et al. Man in the Browser Attacks , 2012, Int. J. Ambient Comput. Intell..

[7] Lei Liu,et al. Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.

[8] Vijay Laxmi,et al. The darker side of Firefox extension , 2013, SIN.

[9] Arnar Birgisson,et al. JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.