Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
10-2014
Abstract
A common characteristic of modern web browsers is that their functionality can be extended via third-party addons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extension's privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out.
Discipline
Information Security
Publication
Proceedings of IEEE Conference on Communications and Network Security, San Francisco, CA, US, 2014 October 29-31
First Page
184
Last Page
192
Identifier
10.1109/CNS.2014.6997485
City or Country
San Francisco, CA
Citation
BAUER, Lujo; CAI, Shaoying; JIA, Limin; PASSARO, Timothy; and TIAN, Yuan.
Analyzing the dangers posed by Chrome Extensions. (2014). Proceedings of IEEE Conference on Communications and Network Security, San Francisco, CA, US, 2014 October 29-31. 184-192.
Available at: https://ink.library.smu.edu.sg/sis_research/4193
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/CNS.2014.6997485