Quan Chen
ABSTRACT
Browser extensions are small JavaScript, CSS and HTML programs that run inside the browser with special privileges. These programs, often written by third parties, operate on the pages that the browser is visiting, giving the user a programmatic way to configure the browser. The privacy implications that arise by allowing privileged third-party code to execute inside the users' browser are not well understood. In this paper, we develop a taint analysis framework for browser extensions and use it to perform a large scale study of extensions in regard to their privacy practices. We first present a hybrid approach to traditional taint analysis: by leveraging the fact that extension source code is available to the runtime JavaScript engine, we implement as well as enhance traditional taint analysis using information gathered from static data flow and control-flow analysis of the JavaScript source code. Based on this, we further modify the Chromium browser to support taint tracking for extensions. We analyzed 178,893 extensions crawled from the Chrome Web Store between September 2016 and March 2018, as well as a separate set of all available extensions (2,790 in total) for the Opera browser at the time of analysis. From these, our analysis flagged 3,868 (2.13%) extensions as potentially leaking privacy-sensitive information. The top 10 most popular Chrome extensions that we confirmed to be leaking privacy-sensitive information have more than 60 million users combined. We ran the analysis on a local Kubernetes cluster and were able to finish within a month, demonstrating the feasibility of our approach for large-scale analysis of browser extensions. At the same time, our results emphasize the threat browser extensions pose to user privacy, and the need for countermeasures to safeguard against misbehaving extensions that abuse their privileges.
Supplemental Material
- Sruthi Bandhakavi, Samuel T King, Parthasarathy Madhusudan, and Marianne Winslett. 2010. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security Symposium, Vol. 10. 339--354. Google Scholar
Digital Library
- Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman. 2010. Protecting Browsers from Extension Vulnerabilities. In NDSS.Google Scholar
- Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time Monitoring and Formal Analysis of Information Flows in Chromium.. In NDSS.Google Scholar
- Per Nikolaj D Bukh. 1992. The art of computer systems performance analysis, techniques for experimental design, measurement, simulation and modeling.Google Scholar
- Catapult Project. 2018. Web Page Replay. https://github.com/catapult-project/catapult/tree/master/web_page_replay_go.Google Scholar
- Chrome Web Store. 2018. Web of Trust. https://chrome.google.com/webstore/detail/wot-web-of-trust-website/bhmmomiinigofkjcapegjjndpbikblnp?hl=en-US.Google Scholar
- Andrey Chudnov and David A Naumann. 2015. Inlined information flow monitoring for JavaScript. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 629--643. Google ScholarDigital Library
- Jay Conrod. 2018. A tour of V8: Crankshaft, the optimizing compiler. http://www.jayconrod.com/posts/54/a-tour-of-v8-crankshaft-the-optimizing-compiler.Google Scholar
- Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 748--759. Google ScholarDigital Library
- Detectify Labs. 2018. Chrome Extensions - AKA Total Absence of Privacy. https://labs.detectify.com/2015/11/19/chrome-extensions-aka-total-absence-of-privacy/.Google Scholar
- Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Computer Security Applications Conference, 2009. ACSAC'09. Annual. IEEE, 382--391. Google ScholarDigital Library
- Vladan Djeric and Ashvin Goel. 2010. Securing script-based extensibility in web browsers. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2010. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Google ScholarDigital Library
- Cristiano Giuffrida, Stefano Ortolani, and Bruno Crispo. 2012. Memoirs of a browser: A cross-browser detection model for privacy-breaching extensions. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 10--11. Google ScholarDigital Library
- Google. 2018. Chrome V8. https://developers.google.com/v8/.Google Scholar
- Arjun Guha, Matthew Fredrikson, Benjamin Livshits, and Nikhil Swamy. 2011. Verified security for browser extensions. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 115--130. Google ScholarDigital Library
- How-to Geek. 2018. Warning: Your Browser Extensions Are Spying On You. https://www.howtogeek.com/180175/warning-your-browser-extensions-are-spying-on-you/.Google Scholar
- Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. 2016. Cloak of visibility: detecting when machines browse a different web. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 743--758.Google ScholarCross Ref
- Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2010. An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In Proc of the 17th ACM Conf on Computer and Communications Security CCS, Vol. 10. 43--51. Google ScholarDigital Library
- Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting malicious behavior in browser extensions. In 23rd USENIX Security Symposium (USENIX Security 14). 641--654. Google ScholarDigital Library
- Kubernetes. 2018. Production-Grade Container Orchestration. https://kubernetes.io/.Google Scholar
- Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In 20th ACM Conference on Computer and Communications Security Berlin 4.11.2013. Google ScholarDigital Library
- Zhuowei Li, XiaoFeng Wang, and Jong Choi. 2007. SpyShield: Preserving privacy from spy add-ons. In Recent Advances in Intrusion Detection. Springer, 296--316. Google ScholarDigital Library
- William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. (2018).Google Scholar
- Mozilla. 2018. Modifying a web page. https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Modify_a_web_page.Google Scholar
- Mozilla. 2018. SpiderMonkey. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.Google Scholar
- PC Magazine. 2018. 'Web Of Trust' Browser Extension Cannot Be Trusted. http://www.pcmag.com/news/349328/web-of-trust-browser-extension-cannot-be-trusted.Google Scholar
- Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A symbolic execution framework for JavaScript. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 513--528. Google ScholarDigital Library
- Oleksii Starov and Nick Nikiforakis. 2017. Extended tracking powers: Measuring the privacy diffusion enabled by browser extensions. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 1481--1490. Google ScholarDigital Library
- StatCounter. 2018. Browser Market Share Worldwide. http://gs.statcounter.com/.Google Scholar
- Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise client-side protection against DOM-based Cross-Site Scripting. In USENIX Security Symposium. Google ScholarDigital Library
- V8 Project. 2018. Launching Ignition and TurboFan. https://v8project.blogspot.com/2017/05/launching-ignition-and-turbofan.html.Google Scholar
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis.. In NDSS, Vol. 2007. 12.Google Scholar
- Jiangang Wang, Xiaohong Li, Xuhui Liu, Xinshu Dong, Junjie Wang, Zhenkai Liang, and Zhiyong Feng. 2012. An empirical study of dangerous behaviors in firefox extensions. Information Security (2012), 188--203. Google ScholarDigital Library
- WebProNews. 2018. The Chromium-Powered Opera Is Finally Here. https://www.webpronews.com/the-chromium-powered-opera-is-finally-here/.Google Scholar
- Zachary Weinberg, Eric Y Chen, Pavithra Ramesh Jayaraman, and Collin Jackson. 2011. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 147--161. Google ScholarDigital Library
- Michael Weissbacher. 2018. These Chrome extensions spy on 8 million users. http://mweissbacher.com/blog/2016/03/31/these-chrome-extensions-spy-on-8-million-users/.Google Scholar
- Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, and Engin Kirda. 2017. Ex-Ray: Detection of History-Leaking Browser Extensions. In Annual Computer Security Applications Conference. ACM publishing. Google ScholarDigital Library
Index Terms
- Mystique: Uncovering Information Leakage from Browser Extensions
Recommendations
Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions
WWW '17: Proceedings of the 26th International Conference on World Wide WebUsers have come to rely on browser extensions to realize features that are not implemented by browser vendors. Extensions offer users the ability to, among others, block ads, de-clutter websites, enrich pages with third-party content, and take ...
On evaluating and securing firefox for Android browser extensions
MOBILESoft 2014: Proceedings of the 1st International Conference on Mobile Software Engineering and SystemsUnsafely or maliciously coded extensions allow an attacker to run their own code in the victim's browser with elevated privileges. This gives the attacker a large amount of control over not only the browser but the underlying machine as well. The topic ...
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications ConferenceJavaScript-based browser extensions (JSEs) enhance the core functionality of web browsers by improving their look and feel, and are widely available for commodity browsers. To enable a rich set of functionalities, browsers typically execute JSEs with ...
Comments