Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, credentials (cookies) and list of installed extensions.
They have access to a permanent storage in which they can store data as long as they are installed in the user's browser. They can trigger the download of arbitrary files and save them on the user's device.
For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.
In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP and access user data on any other web application, access user credentials (cookies), browsing history, bookmarks, list of installed extensions, extensions storage, and download and save arbitrary files in the user's device.
Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.
The following figure shows the methodology we followed in order to analyze at large-scale, extensions on Chrome, Firefox and Opera
More details about the methodology can be found in the paper. Basically, a static analyzer automatically analyzes and reports suspicious extensions, that are manually reviewed further in order to confirm whether or not they can be exploited by web applications
We have implemented our methodology in a online tool . This tool is primarily meant for browser vendors and extensions developers willing to check whether their extensions are exposing vulnerabilities that can be exploited by web applications to gain access to user sensitive information.
The tool tries to discover the extension APIs that can be escalated. One can then test the extension to assess whether the exposed APIs can truly be exploited by adversaries
We applied our tool to Chrome, Firefox and Opera extensions. Following are the main results. These are extensions that can be exploited by web applications in order to
Chrome | Firefox | Opera | Total | |
---|---|---|---|---|
Extensions analyzed | 66,401 | 9,391 | 2,523 | 78,315 |
Suspicious extensions | 3,303 | 483 | 210 | 3,996 |
Execute code | 15 | 2 | 2 | 19 |
Bypass SOP | 48 | 9 | 6 | 63 |
Read cookies | 8 | - | - | 8 |
Read browsing history | 40 | - | - | 40 |
Read bookmarks | 37 | 1 | - | 38 |
Get extensions installed | 33 | - | - | 33 |
Store/retrieve data | 85 | 2 | 3 | 90 |
Trigger downloads | 29 | 5 | 2 | 36 |
Total of unique extensions | 171 | 16 | 10 | 197 |
The paper has more. In particular it shows case studies, discusses countermeasures, etc.
We have also recorded some videos demonstrating how we managed to exploit those extensions
For more details about this work, feel free to contact the author Dolière Francis Somé