Analyzing the dangers posed by Chrome Extensions
A common characteristic of modern web browsers is that their functionality can be extended via third-party addons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-leve...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2014
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4193 https://ink.library.smu.edu.sg/context/sis_research/article/5196/viewcontent/cns2014_browserattacks.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5196 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-51962018-12-13T09:26:22Z Analyzing the dangers posed by Chrome Extensions BAUER, Lujo CAI, Shaoying JIA, Limin PASSARO, Timothy TIAN, Yuan A common characteristic of modern web browsers is that their functionality can be extended via third-party addons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extension's privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out. 2014-10-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4193 info:doi/10.1109/CNS.2014.6997485 https://ink.library.smu.edu.sg/context/sis_research/article/5196/viewcontent/cns2014_browserattacks.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security BAUER, Lujo CAI, Shaoying JIA, Limin PASSARO, Timothy TIAN, Yuan Analyzing the dangers posed by Chrome Extensions |
| description |
A common characteristic of modern web browsers is that their functionality can be extended via third-party addons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extension's privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out. |
| format |
text |
| author |
BAUER, Lujo CAI, Shaoying JIA, Limin PASSARO, Timothy TIAN, Yuan |
| author_facet |
BAUER, Lujo CAI, Shaoying JIA, Limin PASSARO, Timothy TIAN, Yuan |
| author_sort |
BAUER, Lujo |
| title |
Analyzing the dangers posed by Chrome Extensions |
| title_short |
Analyzing the dangers posed by Chrome Extensions |
| title_full |
Analyzing the dangers posed by Chrome Extensions |
| title_fullStr |
Analyzing the dangers posed by Chrome Extensions |
| title_full_unstemmed |
Analyzing the dangers posed by Chrome Extensions |
| title_sort |
analyzing the dangers posed by chrome extensions |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2014 |
| url |
https://ink.library.smu.edu.sg/sis_research/4193 https://ink.library.smu.edu.sg/context/sis_research/article/5196/viewcontent/cns2014_browserattacks.pdf |
| _version_ |
1770574424741773312 |