Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

All major web browsers support browser extensions to add new features and extend their functionalities. Nevertheless, browser extensions have been the target of several attacks due to their tight relation with the browser environment. As a consequence, extensions have been abused in the past for malicious tasks such as private information gathering, browsing history retrieval, or passwords theft — leading to a number of severe targeted attacks. Even though no protection techniques existed in the past to secure extensions, all browsers now implement defensive countermeasures that, in theory, protect extensions and their resources from third party access. In this paper, we present two attacks that bypass these control techniques in every major browser family, enabling enumeration attacks against the list of installed extensions. In particular, we present a timing side-channel attack against the access control settings and an attack that takes advantage of poor programming practice, affecting a large number of Safari extensions. Due to the harmful nature of our findings, we also discuss possible countermeasures against our own attacks and reported our findings and countermeasures to the different actors involved. We believe that our study can help secure current implementations and help developers to avoid similar attacks in the future.

[1]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[2]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[3]  Julien Lironcourt Internet Security Seminar Analyzing Information Flow in JavaScript-based Browser Extensions , 2010 .

[4]  David A. Wagner,et al.  An Evaluation of the Google Chrome Extension Security Architecture , 2012, USENIX Security Symposium.

[5]  William K. Robertson,et al.  CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities , 2016, NDSS.

[6]  William K. Robertson,et al.  Securing Legacy Firefox Extensions with SENTINEL , 2013, DIMVA.

[7]  Ashvin Goel,et al.  Securing Script-Based Extensibility in Web Browsers , 2010, USENIX Security Symposium.

[8]  Marianne Winslett,et al.  Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[9]  Nick Nikiforakis,et al.  XHOUND: Quantifying the Fingerprintability of Browser Extensions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[10]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[11]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[12]  V. N. Venkatakrishnan,et al.  Extensible Web Browser Security , 2007, DIMVA.

[13]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[14]  William K. Robertson,et al.  SENTINEL: Securing Legacy Firefox Extensions , 2015, Comput. Secur..

[15]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Zhenkai Liang,et al.  I Know Where You've Been: Geo-Inference Attacks via the Browser Cache , 2015, IEEE Internet Computing.

[17]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[18]  Collin Jackson,et al.  Cross-origin pixel stealing: timing attacks using CSS filters , 2013, CCS.

[19]  V. N. Venkatakrishnan,et al.  Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.

[20]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[21]  Ji Xiang,et al.  Towards Fine-Grained Access Control on Browser Extensions , 2012, ISPEC.

[22]  Lei Liu,et al.  Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.