Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

10-2014

Abstract

A common characteristic of modern web browsers is that their functionality can be extended via third-party addons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extension's privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out.

Discipline

Information Security

Publication

Proceedings of IEEE Conference on Communications and Network Security, San Francisco, CA, US, 2014 October 29-31

First Page

184

Last Page

192

Identifier

10.1109/CNS.2014.6997485

City or Country

San Francisco, CA

Additional URL

https://doi.org/10.1109/CNS.2014.6997485

Share

COinS