The Evil Friend in Your Browser
0 likes565 views
The document discusses the security risks associated with browser extensions, highlighting that while they enhance functionality, they can also pose significant threats to user privacy and data. An analysis of over 2,500 extensions reveals that many request extensive permissions that can enable malicious activities, such as monitoring user browsing history and circumventing security measures. The authors emphasize the need for improved security models and user awareness to mitigate risks associated with extensions.
![The architecture of browser extensions
Web Browser
Tab
Extension
Site
Scripts
DOM
(Origin A)
Content
Scripts
Site
Scripts
DOM
(Origin C)
Content
Scripts
iframeiframe
Site
Scripts
DOM
(Origin B)
postMessage
popup.html
+ Scripts
background.html
+ Scripts
- Permissions
- CSP
Operating System
Native App
Filesystem USB Camera
postMessage
(externally_
connectable)postMessage
sendNativeMessage
(Allowed Plugin)
HTML5 API
{
"update_url": "https :// clients2.google.com/service/update2/
"name": "Test␣Extension",
"version": "0.1",
" manifest_version ": 2,
" description ": "This␣is␣a␣harmless␣extension ...",
" permissions ": [
"tabs", "<all_urls >", "webRequest"
],
" content_scripts ": [
{
"all_frames": true ,
"js": [" content_script .js"],
"matches": ["<all_urls >"],
"run_at": " document_start "
}
],
"background": {
"scripts": ["background.js"]
}
}](https://image.slidesharecdn.com/2017-05-11-owasp-browser-extensions-170511154530/85/The-Evil-Friend-in-Your-Browser-36-320.jpg)
The Evil Friend in Your Browser
- 1. The Evil Friend in Your Browser Achim D. Brucker and Michael Herzberg {a.brucker, msherzberg1}@sheffield.ac.uk Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ May 12, 2017
- 2. The Evil Friend in Your Browser Abstract On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties. The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users. We present results of analysing over 2500 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.
- 3. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 4. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 5. Browsers are the new operating systems
- 6. Browsers are the new operating systems
- 7. Browsers are the new operating systems
- 8. Browsers are the new operating systems
- 9. Browsers are the new operating systems
- 10. Browsers are the new operating systems
- 11. Browsers are the new operating systems
- 12. Protecting Web Users HttpOnly Same-origin policy Content Security Policy (CSP) ...
- 13. Security of web browsers The major browser vendors take security seriously investing a lot in making web browsers secure and trustworthy
- 14. Security of web browsers The major browser vendors take security seriously investing a lot in making web browsers secure and trustworthy We have a good basis for secure web applications
- 15. Security of web browsers The major browser vendors take security seriously investing a lot in making web browsers secure and trustworthy We have a good basis for secure web applications, until we add extensions: can extend/modify the browser anybody can write/offer them
- 16. Security of web browsers The major browser vendors take security seriously investing a lot in making web browsers secure and trustworthy We have a good basis for secure web applications, until we add extensions: can extend/modify the browser anybody can write/offer them might tear down the defence from inside
- 17. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 18. Browser extensions Add-ons extending your browser Google says: small software programs little to no user interface
- 19. Browser extensions Add-ons extending your browser Google says: small software programs little to no user interface
- 20. Browser extensions Add-ons extending your browser Google says: small software programs little to no user interface What we find: complex and large programs sophisticated user interfaces
- 21. Browser extensions Add-ons extending your browser Google says: small software programs little to no user interface What we find: complex and large programs sophisticated user interfaces What extension can do: modify the user interface (how your browser behaves) modify web pages (what you see) modify web request (what you enter)
- 22. Let’s search for a simple calculator
- 23. Let’s search for a simple calculator
- 24. Let’s search for a simple calculator
- 25. Let’s search for a simple calculator
- 26. Let’s search for a simple calculator
- 27. Let’s search for a simple calculator
- 28. Malicious extensions are a real threat to users (1/2)
- 29. Malicious extensions are a real threat to users (1/2)
- 30. Malicious extensions are a real threat to users (2/2) Web of Trust (WoT) logged all web requests
- 31. Malicious extensions are a real threat to users (2/2) Web of Trust (WoT) logged all web requests and sold the data to third parties
- 32. Malicious extensions are a real threat to users (2/2) Web of Trust (WoT) logged all web requests and sold the data to third parties A German TV station bought the data
- 33. Malicious extensions are a real threat to users (2/2) Web of Trust (WoT) logged all web requests and sold the data to third parties A German TV station bought the data “de-anonymized” it
- 34. Malicious extensions are a real threat to users (2/2) Web of Trust (WoT) logged all web requests and sold the data to third parties A German TV station bought the data “de-anonymized” it and found critical data, e.g.: tax declaration of a member of the German parliament details about international search warrants ...
- 35. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 36. The architecture of browser extensions Web Browser Tab Extension Site Scripts DOM (Origin A) Content Scripts Site Scripts DOM (Origin C) Content Scripts iframeiframe Site Scripts DOM (Origin B) postMessage popup.html + Scripts background.html + Scripts - Permissions - CSP Operating System Native App Filesystem USB Camera postMessage (externally_ connectable)postMessage sendNativeMessage (Allowed Plugin) HTML5 API { "update_url": "https :// clients2.google.com/service/update2/ "name": "Test␣Extension", "version": "0.1", " manifest_version ": 2, " description ": "This␣is␣a␣harmless␣extension ...", " permissions ": [ "tabs", "<all_urls >", "webRequest" ], " content_scripts ": [ { "all_frames": true , "js": [" content_script .js"], "matches": ["<all_urls >"], "run_at": " document_start " } ], "background": { "scripts": ["background.js"] } }
- 37. Security mechanism: Permissions Background Scripts Two-dimensional permission system: functional permissions: tabs, bookmarks, webRequest, desktopCapture, ... host permissions: https://*.google.com, http://www.facebook.com, but also <all_urls> and https://*/* Host permissions restrict effect of some functional permissions Content Scripts Black and white: either injecting script, or not
- 38. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 39. Chrome Web Store Main way of distributing extensions We monitored 115k extensions over 3 months Wide variety of categories: productivity 29.29% fun 11.65% communication 10.24% web_development 9.15% games 7.52% accessibility 7.22%
- 40. Extensions are big ... <10kB 10kB - 100kB100kB - 1MB 1MB - 10MB >10MB Extension Size 0 5000 10000 15000 20000 25000 #Extensions <100 100 - 1000 1000 - 10k 10k - 100k >100k JavaScript LoC 0 5000 10000 15000 20000 25000 30000 35000 #Extensions
- 41. ... and old 0 1 2 - 5 5 - 10 >10 # of updates in 3 months 0 20000 40000 60000 80000 100000 #Extensions 15% use old jQuery version! (1.x or 2.x)
- 42. Case one: Read all your history Permission: tabs or <all_urls>, or content script on all sites Needed for many simple extensions Can monitor your complete history, incl. full urls
- 43. Case one: Read all your history Permission: tabs or <all_urls>, or content script on all sites Needed for many simple extensions Can monitor your complete history, incl. full urls 34% of 115.000 extensions total downloads: 715m
- 44. Case two: Read and write all data on your websites Permission: <all_urls>, or content script on all sites Minimum level of permissions for many extensions Gives full access to the web site
- 45. Case two: Read and write all data on your websites Permission: <all_urls>, or content script on all sites Minimum level of permissions for many extensions Gives full access to the web site 21% of 115.000 extensions total downloads: 615m
- 46. Case three: Circumvent security measures Permission: <all_urls> and webRequest Can intercept and change all HTTP headers! Disable Content-Security-Policy, Same-origin Policy, etc. Breaks security guarantees of web browsers!
- 47. Case three: Circumvent security measures Permission: <all_urls> and webRequest Can intercept and change all HTTP headers! Disable Content-Security-Policy, Same-origin Policy, etc. Breaks security guarantees of web browsers! 6% of 115.000 extensions total downloads: 325m
- 49. Outline 1 Motivation 2 What are extensions: user perspective 3 What are extensions: developer perspective 4 Little shop of horrors 5 Outlook
- 50. How can we make web browsing great* again? *great = ensuring the security, integrity, and privacy of the user of a web browser
- 51. How can we make web browsing great* again? Integrity: content modifications layout modifications Confidentiality: data storage transmitted data Privacy: access to sensors personal identifiers *great = ensuring the security, integrity, and privacy of the user of a web browser
- 52. Outlook: On the long term Sandboxing of extensions A different permission model granularity? dynamic vs static? Better explanation for users Better analysis/test tools for extensions Expect updates from us in the future ...
- 53. Outlook: On the short term (1/2) Be aware of the risk Check the vendor of the extension carefully Check the permissions (i.e., active domains) Use browser profiles
- 54. Outlook: On the short term (2/2) Frequent updates vs Governance
- 55. Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker and Michael Herzberg Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ {a.brucker, msherzberg1}@sheffield.ac.uk į https://logicalhacking.com/blog/
- 56. Document Classification and License Information © 2017 LogicalHacking.com, Achim D. Brucker and Michael Herzberg {a.brucker, msherzberg1}@sheffield.ac.uk. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0).