Helping or Hindering? How Browser Extensions Undermine Security

Agarwal, Shubham
(2022) Helping or Hindering? How Browser Extensions Undermine Security.
In: The 29th ACM Conference on Computer and Communications Security (CCS), November 7-11, 2022, Los Angeles, U.S.A..
Conference: CCS ACM Conference on Computer and Communications Security
(In Press)

[img]
Preview
 Text
ccs2022b-paper626.pdf
Download (914kB) | Preview

Abstract

Browser extensions enhance the functionality of native Web applications on the client side. They provide a rich end-user experience by utilizing feature-rich JavaScript APIs, otherwise inaccessible for native applications. However, prior studies suggest that extensions may degrade the client-side security to execute their operations, such as by altering the DOM, executing untrusted scripts in the applications' context, and performing other security-critical operations for the user. In this study, we instead focus on extensions that tamper with the security headers between the client-server exchange, thereby undermining the security guarantees that these headers provide to the application. To this end, we present our automated analysis framework to detect such extensions by leveraging static and dynamic analysis techniques. We statically identify extensions with the permission to modify headers and then instrument the dangerous APIs to investigate their runtime behavior with respect to modifying headers in-flight. We then use our framework to analyze the three snapshots of the Chrome extension store from Jun 2020, Feb 2021, and Jan 2022. In doing so, we detect 1,129 distinct extensions that interfere with security-related request/response headers and discuss the associated security implications. The impact of our findings is aggravated by the extensions, with millions of installations dropping critical security headers like Content-Security-Policy or X-Frame-Options.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Ben Stock (Secure Web Applications Group, SWAG)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Shubham Agarwal
Date Deposited: 08 Sep 2022 13:47
Last Modified: 23 Sep 2022 07:41
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/3766

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.