Skip to main content
SpringerLink
Log in

Privacy Leakage Attacks in Browsers by Colluding Extensions

  • Conference paper
Information Systems Security (ICISS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8880))

Included in the following conference series:

Abstract

Browser Extensions (BE) enhance the core functionality of the Browser and provide customization to it. Browser extensions enjoy high privileges, sometimes with the same privileges as Browser itself. As a consequence, a vulnerable or malicious extension might expose Browser and system resources to attacks. This may put Browser resources at risk of unwanted operations, privilege escalation etc. BE can snoop on web applications, launch arbitrary processes, and even access files from host file system. In addition to that, an extension can even collude with other installed extensions to share objects and change preferences. Although well-intentioned, extension developers are often not security experts. Hence, they might end up writing vulnerable code. In this paper we present a new attacks via Browser extensions. In particular, the attack allows two malicious extensions to communicate and collaborate with each other in such a way to achieve a malicious goal. We identify the vulnerable points in extension development framework as: (a) object reference sharing, and (b) preference overriding. We illustrate the effectiveness of the proposed attack using various attack scenarios. Furthermore, we provide a proof-of-concept illustration for web domains including Banking & shopping. We believe that the scenarios we use in use-case demonstration underlines the severity of the presented attack. Finally, we also contribute an initial framework to address the presented attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Defeating man-in-the-browser. how to prevent the latest malware attacks against consumer corporate banking, http://download.entrust.com/resources/download.cfm/24002/

  2. Document object model, https://developer.mozilla.org/en/docs/DOM

  3. Mozilla developer network-extensions, https://developer.mozilla.org/en/docs/Extensions

  4. Protection against man-in-the-middle attacks, http://www.ca.com/~/media/Files/whitepapers/protection-from-mitm-mitb-attacks-wp.pdf

  5. Security issue on amo, http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/

  6. Understanding man-in-the-browser attacks and addressing the problem, http://ru.safenet-inc.com/uploadedFiles/About_SafeNet/Resource_Library/Resource_Items/WhitePapers-SFDCProtectedEDP/Man%20in%20the%20Browser%20Security%20Guide.pdf

  7. Xpcom interface, https://developer.mozilla.org/en-US/docs/XUL/Tutorial/XPCOM_Interfaces

  8. Xpconnect, https://developer.mozilla.org/en/docs/XPConnect

  9. Xul overlays, https://developer.mozilla.org/en-US/docs/XUL_Overlays

  10. Adam, B.: Severity guidelines for security issues. The Chromium Project, http://dev.chromium.org/developers/severity-guidelines

  11. Adamski, L.: Security severity ratings. MozillaWiki (2008)

    Google Scholar 

  12. Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with vex. Commun. ACM 54(9), 91–99 (2011)

    Article  Google Scholar 

  13. Caraig, D.: Firefox add-on spies on google search results, http://blog.trendmicro.com/firefox-addo-spies-on-google-search-results/

  14. Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 382–391 (2009)

    Google Scholar 

  15. Guhring, P.: Concepts against man-in-the-browser attacks

    Google Scholar 

  16. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: Tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC 2014, pp. 1663–1671. ACM, New York (2014)

    Google Scholar 

  17. Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: NDSS (2012)

    Google Scholar 

  18. Liverani, R.S., Freeman, N.: Abusing firefox extensions. In: Defcon17 (2009)

    Google Scholar 

  19. Maone, G.: Noscript

    Google Scholar 

  20. Saini, A., Gaur, M.S., Laxmi, V.: The darker side of firefox extension. In: Proceedings of the 6th International Conference on Security of Information and Networks, SIN 2013, pp. 316–320. ACM (2013)

    Google Scholar 

  21. Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  22. Kevin, C., Timothy, D.: Man in the browser attacks. International Journal of Ambient Computing and Intelligence (IJACI) 4 (2012)

    Google Scholar 

  23. Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customer. In: 7th Australian Information Security Management Conference, p. 19 (2009)

    Google Scholar 

  24. Kindel, C., Williams, S.: The component object model: A technical overview

    Google Scholar 

  25. Zalewski, M.: Browser security handbook. Google Code (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Malaviya National Institute of Technology, Jaipur, India

    Anil Saini, Manoj Singh Gaur, Vijay Laxmi & Tushar Singhal

  2. University of Padua, Italy

    Mauro Conti

Authors
  1. Anil Saini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manoj Singh Gaur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijay Laxmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tushar Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of EECS, University of Michigan, 48109-2121, Ann Arbor, MI, USA

    Atul Prakash

  2. Faculty of Technology and Computer Science, Tata Institute of Fundamental Research, Homi Bhabha Road, 400005, Mumbai, India

    Rudrapatna Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Saini, A., Gaur, M.S., Laxmi, V., Singhal, T., Conti, M. (2014). Privacy Leakage Attacks in Browsers by Colluding Extensions. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13841-1_15

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13840-4

  • Online ISBN: 978-3-319-13841-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation