research-article

Helping or Hindering?: How Browser Extensions Undermine Security

Author:

Shubham AgarwalAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 23 - 37

https://doi.org/10.1145/3548606.3560685

Published: 07 November 2022 Publication History

Abstract

Browser extensions enhance the functionality of native Web applications on the client side. They provide a rich end-user experience by utilizing feature-rich JavaScript APIs, otherwise inaccessible for native applications. However, prior studies suggest that extensions may degrade the client-side security to execute their operations, such as by altering the DOM, executing untrusted scripts in the applications' context, and performing other security-critical operations for the user.

In this study, we instead focus on extensions that tamper with the security headers between the client-server exchange, thereby undermining the security guarantees that these headers provide to the application. To this end, we present our automated analysis framework to detect such extensions by leveraging static and dynamic analysis techniques. We statically identify extensions with the permission to modify headers and then instrument the dangerous APIs to investigate their runtime behavior with respect to modifying headers in-flight.

We then use our framework to analyze the three snapshots of the Chrome extension store from Jun 2020, Feb 2021, and Jan 2022. In doing so, we detect 1,129 distinct extensions that interfere with security-related request/response headers and discuss the associated security implications. The impact of our findings is aggravated by the extensions, with millions of installations dropping critical security headers like Content-Security-Policy or X-Frame-Options.

References

[1]

2022. Black Canary Code. https://github.com/shubh401/black_canary.git

[2]

Shubham Agarwal and Ben Stock. 2021a. Critical errors in our recent MADweb paper. https://swag.cispa.saarland/default/2021/07/19/madweb-headers.html

[3]

Shubham Agarwal and Ben Stock. 2021b. First, Do No Harm: Studying the manipulation of security headers in browser extensions. In Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2021.

[4]

Anupama Aggarwal, Bimal Viswanath, Liang Zhang, Saravana Kumar, Ayush Shah, and Ponnurangam Kumaraguru. 2018. I spy with my little eye: Analysis and detection of spying browser extensions. In IEEE Euro S&P.

[5]

Sruthi Bandhakavi, Samuel T King, Parthasarathy Madhusudan, and Marianne Winslett. 2010. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security.

[6]

Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman. 2010. Protecting browsers from extension vulnerabilities. In NDSS.

[7]

Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian. 2014. Analyzing the dangers posed by Chrome extensions. In IEEE Conference on Communications and Network Security.

[8]

Opera Blogs. 2021. Using Chrome Extensions in Opera. https://blogs.opera.com/tips-and-tricks/2021/10/using-addons-from-chrome-in-opera/

[9]

Mallory Bowes-Brown. 2021. Chrome Malicious Extension Listing. https://github.com/mallorybowes/chrome-mal-ids

[10]

Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes, and Ben Stock. 2020. A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web. In USENIX Security.

[11]

Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture. In USENIX Security.

[12]

Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In ACM CCS.

[13]

Chrome Developers. 2012. Declare permissions. https://developer.chrome.com/docs/extensions/mv3/declare_permissions/#host-permissions

[14]

Chrome Developers. 2017. Chrome DevTools Protocol. https://developer.chrome.com/docs/extensions/mv3/match_patterns/

[15]

Chrome Developers. 2020. chrome.activeTab. https://developer.chrome.com/extensions/activeTab

[16]

Chrome Developers. 2020a. Match Patterns. https://developer.chrome.com/extensions/match_patterns

[17]

Chrome Developers. 2020b. Methods. https://3-72-0-dot-chrome-apps-doc.appspot.com/extensions/declarativeNetRequest#method-updateDynamicRules

[18]

Chrome Developers. 2020c. Puppeteer. https://developers.google.com/web/tools/puppeteer

[19]

Chrome Developers. 2020. webRequest. https://developer.chrome.com/extensions/webRequest

[20]

Chrome Developers. 2022. Sitemap - Chrome Extensions. https://chrome.google.com/webstore/sitemap

[21]

Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, and Nektarios Leontiadis. 2017. Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser. In USENIX Security Workshop on Cyber Security Experimentation and Test.

[22]

Chrome Developers. 2021. Manifest v3 : Web Request Changes. https://groups.google.com/a/chromium.org/g/chromium-extensions/c/veJy9uAwS00/m/9iKaX5giAQAJ

[23]

Christian Dresen, Fabian Ising, Damian Poddebniak, Tobias Kappert, Thorsten Holz, and Sebastian Schinzel. 2020. CORSICA: Cross-Origin Web Service Identification. In ACM ASIA CCS.

[24]

Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock. 2021. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale. In ACM CCS.

[25]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In USENIX Security.

[26]

Google. 2018. Chromium Blog. https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html

[27]

Daniel Hausknecht, Jonas Magazinius, and Andrei Sabelfeld. 2015. May I?-Content Security Policy endorsement for browser extensions. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.

Digital Library

[28]

IETF. 2012. HTTP Strict Transport Security (HSTS). https://tools.ietf.org/html/rfc6797

[29]

IETF. 2013. HTTP Header Field X-Frame-Options. https://tools.ietf.org/rfc/rfc7034

[30]

IETF. 2016. Initial Assignment for the Content Security Policy Directives Registry. https://tools.ietf.org/html/rfc7762

[31]

Apple Inc. 2022. Converting a Web Extension for Safari. https://developer.apple.com/documentation/safariservices/safari_web_extensions/converting_a_web_extension_for_safari

[32]

Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas. 2015. Trends and lessons from three years fighting malicious extensions. In USENIX Security.

[33]

Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting malicious behavior in browser extensions. In USENIX Security.

Digital Library

[34]

Ravie Lakshmanan. 2021. Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions. https://thehackernews.com/2021/02/over-dozen-chrome-extensions-caught.html. Accessed on 2021-04-27.

[35]

Microsoft. 2022. Overview and timelines for migrating to Manifest V3. https://docs.microsoft.com/en-us/microsoft-edge/extensions-chromium/developer-guide/manifest-v3

[36]

Mozilla. 2021. mozilla/web-ext. https://github.com/mozilla/web-ext

[37]

Mozilla Add-ons Community Blog. 2019. Add-on Policy and Process Updates. https://blog.mozilla.org/addons/2019/05/02/add-on-policy-and-process-updates/

[38]

Mozilla Developer Network. 2012. XMLHttpRequest. https://developer.mozilla.org/en-US/docs/Web/API/XMLH ttpRequest

[39]

Mozilla Developer Network. 2021. Cross-Origin-Embedder-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

[40]

Mozilla Developer Network. 2021. Cross-Origin-Opener-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

[41]

Mozilla Developer Network. 2021. Cross-Origin-Resource-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

[42]

Mozilla Developer Network. 2021. Cross-Origin Resource Sharing (CORS). https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[43]

Mozilla Developer Network. 2021. Referrer-Policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

[44]

Mozilla Developer Network. 2022. Manifest v3 in Firefox: Recap & Next Steps. https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/

[45]

Mozilla Developer Network. 2022. Sitemap - Firefox Extensions. https://addons.mozilla.org/api/v5/addons/search/?app=firefox&type=extension

[46]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In IEEE S&P.

[47]

Nikolaos Pantelaios, Nick Nikiforakis, and Alexandros Kapravelos. 2020. You've Changed: Detecting Malicious Browser Extensions through Their Update Deltas. In ACM CCS.

[48]

Raffaello Perrotta and Feng Hao. 2018. Botnet in the browser: Understanding threats caused by malicious browser extensions. In IEEE S&P.

[49]

Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock. 2020. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies. In NDSS.

[50]

Sebastian Roth, Stefano Calzavara, Moritz Wilhelm, Alvise Rabitti, and Ben Stock. 2022. The Security Lottery: Measuring Client-Side Web Security Inconsistencies. In USENIX Security.

[51]

Konstantinos Solomos, Panagiotis Ilia, Soroush Karami, Nick Nikiforakis, and Jason Polakis. 2022. The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions. In USENIX Security.

[52]

Dolière Francis Somé. 2019. Empoweb: empowering web applications with browser extensions. In IEEE S&P.

[53]

Avinash Sudhodanan, Soheil Khodayari, and Juan Caballero. 2020. Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. In NDSS.

[54]

Microsoft Edge Support. 2021. Add, turn off, or remove extensions in Microsoft Edge. https://support.microsoft.com/en-us/microsoft-edge/add-turn-off-or-remove-extensions-in-microsoft-edge-9c0ec68c-2fbc-2f2c-9ff0-bdc76f46b026

[55]

Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon Mccoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, and Moheeb Abu Rajab. 2015. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In IEEE S&P.

[56]

Erik Trickel, Oleksii Starov, Alexandros Kapravelos, Nick Nikiforakis, and Adam Doupé. 2019. Everyone is different: Client-side diversification for defending against extension fingerprinting. In USENIX Security.

[57]

W3C. 2017. Referrer Policy. https://www.w3.org/TR/referrer-policy/

[58]

W3C. 2020. Permissions Policy. https://www.w3.org/TR/permissions-policy-1/

[59]

W3C. 2021. Fetch Metadata Request Headers. https://www.w3.org/TR/fetch-metadata/

[60]

Xinyu Xing, Wei Meng, Byoungyoung Lee, Udi Weinsberg, Anmol Sheth, Roberto Perdisci, and Wenke Lee. 2015. Understanding Malvertising Through Ad-Injecting Browser Extensions. In WWW.

Cited By

Pantelaios NKapravelos ABalzarotti DXu W(2024)FV8Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699110(3747-3764)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699110
Allauddin MLokhande P(2024)Analyzing Security Risks in Browser Extension Search Tools: A Literature ReviewSSRN Electronic Journal10.2139/ssrn.4842191Online publication date: 2024
https://doi.org/10.2139/ssrn.4842191
Liao SCheng LLuo XSong ZCai HYao DHu HLuo BLiao XXu JKirda ELie D(2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690294
Show More Cited By

Index Terms

Helping or Hindering?: How Browser Extensions Undermine Security
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Browser extensions are third-party add-ons that provide myriads of features to their users while browsing on the Web. Extensions often interact with the websites a user visits and perform various operations such as DOM-based manipulation, script ...
Discovering Browser Extensions via Web Accessible Resources
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding ...
Are chrome extensions compliant with the spirit of least privilege?
Abstract
Extensions are small applications installed by users and enrich the user experience of browsing the Internet. Browsers expose a set of restricted APIs to extensions. To be used, extensions need to list the permissions associated with these APIs in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
952
Total Downloads

Downloads (Last 12 months)163
Downloads (Last 6 weeks)24

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pantelaios NKapravelos ABalzarotti DXu W(2024)FV8Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699110(3747-3764)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699110
Allauddin MLokhande P(2024)Analyzing Security Risks in Browser Extension Search Tools: A Literature ReviewSSRN Electronic Journal10.2139/ssrn.4842191Online publication date: 2024
https://doi.org/10.2139/ssrn.4842191
Liao SCheng LLuo XSong ZCai HYao DHu HLuo BLiao XXu JKirda ELie D(2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690294
Ahmed YHunt WMahmoud HFarah M(2024)ZunnaKnowledge Science, Engineering and Management10.1007/978-981-97-5489-2_18(203-213)Online publication date: 27-Jul-2024
https://doi.org/10.1007/978-981-97-5489-2_18

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten