CISPA
Browse
cispa_all_3766.pdf (893.16 kB)

Helping or Hindering? How Browser Extensions Undermine Security

Download (893.16 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Shubham AgarwalShubham Agarwal
Browser extensions enhance the functionality of native Web applications on the client side. They provide a rich end-user experience by utilizing feature-rich JavaScript APIs, otherwise inaccessible for native applications. However, prior studies suggest that extensions may degrade the client-side security to execute their operations, such as by altering the DOM, executing untrusted scripts in the applications' context, and performing other security-critical operations for the user. In this study, we instead focus on extensions that tamper with the security headers between the client-server exchange, thereby undermining the security guarantees that these headers provide to the application. To this end, we present our automated analysis framework to detect such extensions by leveraging static and dynamic analysis techniques. We statically identify extensions with the permission to modify headers and then instrument the dangerous APIs to investigate their runtime behavior with respect to modifying headers in-flight. We then use our framework to analyze the three snapshots of the Chrome extension store from Jun 2020, Feb 2021, and Jan 2022. In doing so, we detect 1,129 distinct extensions that interfere with security-related request/response headers and discuss the associated security implications. The impact of our findings is aggravated by the extensions, with millions of installations dropping critical security headers like Content-Security-Policy or X-Frame-Options.

History

Preferred Citation

Shubham Agarwal. Helping or Hindering? How Browser Extensions Undermine Security. In: ACM Conference on Computer and Communications Security (CCS). 2022.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date

2022-09-08

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3766, title = "Helping or Hindering? How Browser Extensions Undermine Security", author = "Agarwal, Shubham", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC