Abstract
Browser Extensions (BE) enhance the core functionality of the Browser and provide customization to it. Browser extensions enjoy high privileges, sometimes with the same privileges as Browser itself. As a consequence, a vulnerable or malicious extension might expose Browser and system resources to attacks. This may put Browser resources at risk of unwanted operations, privilege escalation etc. BE can snoop on web applications, launch arbitrary processes, and even access files from host file system. In addition to that, an extension can even collude with other installed extensions to share objects and change preferences. Although well-intentioned, extension developers are often not security experts. Hence, they might end up writing vulnerable code. In this paper we present a new attacks via Browser extensions. In particular, the attack allows two malicious extensions to communicate and collaborate with each other in such a way to achieve a malicious goal. We identify the vulnerable points in extension development framework as: (a) object reference sharing, and (b) preference overriding. We illustrate the effectiveness of the proposed attack using various attack scenarios. Furthermore, we provide a proof-of-concept illustration for web domains including Banking & shopping. We believe that the scenarios we use in use-case demonstration underlines the severity of the presented attack. Finally, we also contribute an initial framework to address the presented attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Defeating man-in-the-browser. how to prevent the latest malware attacks against consumer corporate banking, http://download.entrust.com/resources/download.cfm/24002/
Document object model, https://developer.mozilla.org/en/docs/DOM
Mozilla developer network-extensions, https://developer.mozilla.org/en/docs/Extensions
Protection against man-in-the-middle attacks, http://www.ca.com/~/media/Files/whitepapers/protection-from-mitm-mitb-attacks-wp.pdf
Security issue on amo, http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/
Understanding man-in-the-browser attacks and addressing the problem, http://ru.safenet-inc.com/uploadedFiles/About_SafeNet/Resource_Library/Resource_Items/WhitePapers-SFDCProtectedEDP/Man%20in%20the%20Browser%20Security%20Guide.pdf
Xpcom interface, https://developer.mozilla.org/en-US/docs/XUL/Tutorial/XPCOM_Interfaces
Xul overlays, https://developer.mozilla.org/en-US/docs/XUL_Overlays
Adam, B.: Severity guidelines for security issues. The Chromium Project, http://dev.chromium.org/developers/severity-guidelines
Adamski, L.: Security severity ratings. MozillaWiki (2008)
Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with vex. Commun. ACM 54(9), 91–99 (2011)
Caraig, D.: Firefox add-on spies on google search results, http://blog.trendmicro.com/firefox-addo-spies-on-google-search-results/
Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 382–391 (2009)
Guhring, P.: Concepts against man-in-the-browser attacks
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: Tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC 2014, pp. 1663–1671. ACM, New York (2014)
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: NDSS (2012)
Liverani, R.S., Freeman, N.: Abusing firefox extensions. In: Defcon17 (2009)
Maone, G.: Noscript
Saini, A., Gaur, M.S., Laxmi, V.: The darker side of firefox extension. In: Proceedings of the 6th International Conference on Security of Information and Networks, SIN 2013, pp. 316–320. ACM (2013)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
Kevin, C., Timothy, D.: Man in the browser attacks. International Journal of Ambient Computing and Intelligence (IJACI) 4 (2012)
Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customer. In: 7th Australian Information Security Management Conference, p. 19 (2009)
Kindel, C., Williams, S.: The component object model: A technical overview
Zalewski, M.: Browser security handbook. Google Code (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Saini, A., Gaur, M.S., Laxmi, V., Singhal, T., Conti, M. (2014). Privacy Leakage Attacks in Browsers by Colluding Extensions. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-13841-1_15
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13840-4
Online ISBN: 978-3-319-13841-1
eBook Packages: Computer ScienceComputer Science (R0)