EmPoWeb: Empowering Web Applications with Browser Extensions

Read Paper >>> Use the tool

Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, credentials (cookies) and list of installed extensions.

Architecture of the interactions between extensions and web applications

They have access to a permanent storage in which they can store data as long as they are installed in the user's browser. They can trigger the download of arbitrary files and save them on the user's device.
For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.

In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP and access user data on any other web application, access user credentials (cookies), browsing history, bookmarks, list of installed extensions, extensions storage, and download and save arbitrary files in the user's device.
Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.

The following figure shows the methodology we followed in order to analyze at large-scale, extensions on Chrome, Firefox and Opera

Analysis methodology

More details about the methodology can be found in the paper. Basically, a static analyzer automatically analyzes and reports suspicious extensions, that are manually reviewed further in order to confirm whether or not they can be exploited by web applications

We have implemented our methodology in a online tool . This tool is primarily meant for browser vendors and extensions developers willing to check whether their extensions are exposing vulnerabilities that can be exploited by web applications to gain access to user sensitive information.

The tool tries to discover the extension APIs that can be escalated. One can then test the extension to assess whether the exposed APIs can truly be exploited by adversaries

We applied our tool to Chrome, Firefox and Opera extensions. Following are the main results. These are extensions that can be exploited by web applications in order to

  • execute arbitrary code in the context of extensions with the same privileges as the extension
  • bypass the Same Origin Policy and access user information
  • read user cookies in order to hijack their browsing session for instance
  • read their browsing history and bookmarks
  • list of installed extensions
  • store and retrieve data in the extensions permanent storage. Such information can serve tracking purposes
  • trigger the download of arbitrary files and store them on the user device. These files can be malicious software whose execution can damage the user's device

Extensions analyzed66,4019,3912,52378,315
Suspicious extensions3,3034832103,996
Execute code152219
Bypass SOP489663
Read cookies8--8
Read browsing history40--40
Read bookmarks371-38
Get extensions installed33--33
Store/retrieve data852390
Trigger downloads295236
Total of unique extensions1711610197

The paper has more. In particular it shows case studies, discusses countermeasures, etc.

We have also recorded some videos demonstrating how we managed to exploit those extensions

Articles talking about this work (organized by TLD)

Articles just mentioning the work or pointing to it

For more details about this work, feel free to contact the author Dolière Francis Somé