Protecting Browser Extensions from Probing and Revelation Attacks


Download Protecting Browser Extensions from Probing and Revelation Attacks


Preview text

Latex Gloves:
Protecting Browser Extensions from Probing and Revelation
Attacks
Alexander Sjösten, Steven Van Acker, Pablo Picazo-Sanchez, Andrei Sabelfeld

Browser extensions
● Allows users to modify browser behaviour
○ Block advertisement & tracking scripts ○ Password managers
● Written in a combination of JavaScript, HTML and CSS
○ Content scripts ○ Background scripts
● User grants permissions
● Can inject content
○ One way through “web accessible resources” ○ chrome-extension:// and moz-extension://

Google Cast example
Detect google cast extension
chrome-extension://boadgeojelhgndaghljhdicfkmllpafd/cast_sender.js
Discover Chromecast on the network

Probing attack
1) Web page makes request to
chrome-extension://boadgeojelhgndaghljhdicfkmllpafd/cast_sender.js
Sjösten et al., CODASPY 2017 Gulyás et al., WPES 2018 (demo web page: https://extensions.inrialpes.fr/) Sanchez-Rola et al., USENIX 2017

Probing attack
1) Web page makes request to
chrome-extension://boadgeojelhgndaghljhdicfkmllpafd/cast_sender.js
2) If extension is installed, resource is returned.
Sjösten et al., CODASPY 2017 Gulyás et al., WPES 2018 (demo web page: https://extensions.inrialpes.fr/) Sanchez-Rola et al., USENIX 2017

Mozilla’s solution
moz-extension://actual-extension-id/resource.js
Randomized
moz-extension://30bb95e6-4208-4633-ab7b-5623c0b09483/resource.js

Mozilla’s solution
moz-extension://actual-extension-id/resource.js
Randomized
moz-extension://30bb95e6-4208-4633-ab7b-5623c0b09483/resource.js
“It is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.” - Mozilla documentation
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources

Mozilla’s solution
moz-extension://actual-extension-id/resource.js
Randomized
moz-extension://30bb95e6-4208-4633-ab7b-5623c0b09483/resource.js
“It is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.” - Mozilla documentation
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources
“This is something we'd like to do when we have the opportunity to make a breaking change.” - Chrome developer forum
https://bugs.chromium.org/p/chromium/issues/detail?id=611420#c19

Revelation attack
1) Extension injects content
moz-extension://30bb95e6-4208-4633-ab7b-5623c0b09483/resource.js

Revelation attack
1) Extension injects content
moz-extension://30bb95e6-4208-4633-ab7b-5623c0b09483/resource.js
2) Use the recently acquired random ID to probe for a unique resource in an extension.

Preparing to load PDF file. please wait...

0 of 0
100%
Protecting Browser Extensions from Probing and Revelation Attacks