Skip to main content
SpringerLink
Log in

HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers Security

  • Conference paper
  • First Online:
Book cover Cryptology and Network Security (CANS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12579))

Included in the following conference series:

  • 928 Accesses

Abstract

Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as adding/removing some lines from a plain text file called Secure Preferences file automatically created by Chromium the first time it was launched. Concretely, Google introduced a security mechanism based on a cryptographic algorithm named Hash-based Message Authentication Code (HMAC) to avoid users and applications other than the browser modifying the Secure Preferences file. This paper demonstrates that it is possible to perform browser hijacking, browser extension fingerprinting, and remote code execution attacks as well as silent browser extensions (un)installation by coding a platform-independent proof-of-concept changeware that exploits the HMAC, allowing for free modification of the Secure Preferences file. Last but not least, we analyze the security of the four most important Chromium-based browsers: Brave, Chrome, Microsoft Edge, and Opera, concluding that all of them suffer from the same security pitfall.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Brave uses Chrome user-agent (desktop and Android) and Firefox user-agent (iOS).

  2. 2.

    https://github.com/Pica4x6/SecurePreferencesFile.

  3. 3.

    https://www.virustotal.com.

  4. 4.

    https://metadefender.opswat.com.

  5. 5.

    https://www.virscan.org.

References

  1. spyware: Softonic (2019). https://www.2-spyware.com/remove-softonic.html

  2. Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: EuroS&P, pp. 47–61, April 2018

    Google Scholar 

  3. Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 415–436. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_19

    Chapter  Google Scholar 

  4. Awakesecurity: Discovery of a massive, criminal surveillance campaign (2020). https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/

  5. Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011)

    Article  Google Scholar 

  6. Banescu, S., Pretschner, A., Battré, D., Cazzulani, S., Shield, R., Thompson, G.: Software-based protection against changeware. In: CODASPY, pp. 231–242 (2015)

    Google Scholar 

  7. Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: CHES, pp. 215–236 (2016)

    Google Scholar 

  8. Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX, pp. 97–111 (2012)

    Google Scholar 

  9. Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: CCS, p. 1687–1700 (2018)

    Google Scholar 

  10. Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Selected Areas in Cryptography, pp. 250–270 (2003)

    Google Scholar 

  11. Chromium: No more silent extension installs (2019). http://blog.chromium.org

  12. Cimpanu, C.: Windows 10 to get PUA/PUP protection feature (2020). https://www.zdnet.com/article/windows-10-to-get-puapup-protection-feature/

  13. Dhawan, M., Ganapathy, V.: Analyzing information flow in Javascript-based browser extensions. In: ACSAC, pp. 382–391 (2009)

    Google Scholar 

  14. Forrest, S., Somayaji, A., Ackley, D.H.: Building diverse computer systems. In: Workshop on Hot Topics in Operating Systems, pp. 67–72, May 1997

    Google Scholar 

  15. gs.statcounter: Browser market share (2020). https://gs.statcounter.com/browser-market-share

  16. Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: S&P, pp. 115–130 (2011)

    Google Scholar 

  17. HMAC: Chromium Secure Preferences (2019). https://kaimi.io/2015/04/google-chrome-and-secure-preferences/

  18. Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: USENIX, pp. 579–593 (2015)

    Google Scholar 

  19. Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX, pp. 641–654 (2014)

    Google Scholar 

  20. Karami, S., Ilia, P., Solomos, K., Polakis, J.: Carnus: exploring the privacy threats of browser extension fingerprinting. In: NDSS (2020)

    Google Scholar 

  21. Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified pup: abuse in authenticode code signing. In: CCS, pp. 465–478 (2015)

    Google Scholar 

  22. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Internet Engineering Task Force (IETF) (1997)

    Google Scholar 

  23. Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. CoRR abs/1905.01051 (2019). http://arxiv.org/abs/1905.01051

  24. Lerner, B.S., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying web browser extensions’ compliance with private-browsing mode. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_4

    Chapter  Google Scholar 

  25. Malwarebytes: Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals (2020). https://blog.malwarebytes.com

  26. Malwarebytes: WinYahoo (2020). https://blog.malwarebytes.com

  27. Microsoft: Microsoft edge: making the web better through more open source collaboration (2019). https://bit.ly/2QeZFwm

  28. Microsoft: How windows 10 uses the trusted platform module (2020)

    Google Scholar 

  29. Microsoft: Windows defender and secure preferences file (2020). https://answers.microsoft.com

  30. Picazo-Sanchez, P., Tapiador, J., Schneider, G.: After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Securi. 1–16 (2019)

    Google Scholar 

  31. Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: EuroS&P, pp. 366–381, April 2017

    Google Scholar 

  32. Sánchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: USENIX, pp. 679–694 (2017)

    Google Scholar 

  33. Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box. In: Black Hat EU 2015 (2015)

    Google Scholar 

  34. Sjösten, A., Van Acker, S., Picazo-Sanchez, P., Sabelfeld, A.: LATEX GLOVES: protecting browser extensions from probing and revelation attacks. In: NDSS (2018)

    Google Scholar 

  35. Somé, D.F.: Empoweb: empowering web applications with browser extensions. In: S&P, pp. 227–245, May 2019

    Google Scholar 

  36. Starov, O., Nikiforakis, N.: Xhound: quantifying the fingerprintability of browser extensions. In: S&P, pp. 941–956 (2017)

    Google Scholar 

  37. Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW, p. 3244–3250 (2019)

    Google Scholar 

  38. Statcounter: Desktop Browser Market Share Worldwide (2019). https://gs.statcounter.com

  39. UK, P.: Update Java, get yahoo as your default search engine (2019). https://uk.pcmag.com

  40. Urban, T., Tatang, D., Holz, T., Pohlmann, N.: Towards understanding privacy implications of adware and potentially unwanted programs. In: ESORICS, pp. 449–469 (2018)

    Google Scholar 

  41. Varshney, G., Misra, M., Atrey, P.K.: Detecting spying and fraud browser extensions: short paper. In: MPS, pp. 45–52 (2017)

    Google Scholar 

  42. w3schools: Browser Statistics (2019). https://www.w3schools.com/browsers/

  43. Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: WWW, pp. 1286–1295 (2015)

    Google Scholar 

  44. Zhao, R., Yue, C., Yi, Q.: Automatic detection of information leakage vulnerabilities in browser extensions. In: WWW, pp. 1384–1394 (2015)

    Google Scholar 

Download references

Acknowledgments

This work was partially supported by the Swedish Foundation for Strategic Research (SSF) and the Swedish Research Council (Vetenskapsrådet) under grant Nr. 2015-04154 (PolUser: Rich User-Controlled Privacy Policies).

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Pablo Picazo-Sanchez, Gerardo Schneider & Andrei Sabelfeld

Authors
  1. Pablo Picazo-Sanchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gerardo Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pablo Picazo-Sanchez .

Editor information

Editors and Affiliations

  1. AIT Austrian Institute of Technology GmbH, Vienna, Austria

    Stephan Krenn

  2. Fraunhofer SIT, Darmstadt, Germany

    Haya Shulman

  3. IC LASEC, EPFL, Lausanne, Switzerland

    Serge Vaudenay

A Installed-by-Default Extensions

A Installed-by-Default Extensions

Table 3. Brave installed-by-default extensions.
Full size table
Table 4. Microsoft Edge installed-by-default extensions.
Full size table
Table 5. Chrome installed-by-default extensions.
Full size table
Table 6. Opera installed-by-default extensions.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Picazo-Sanchez, P., Schneider, G., Sabelfeld, A. (2020). HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers Security. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65411-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65410-8

  • Online ISBN: 978-3-030-65411-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation