726 research outputs found

    Analyzing the dangers posed by Chrome Extensions

    Get PDF
    NS

    Hardening the security analysis of browser extensions

    Get PDF
    Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files

    EmPoWeb: Empowering Web Applications with Browser Extensions

    Get PDF
    Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, cookies and list of installed extensions. Extensions have a permanent storage in which they can store data and can trigger the download of arbitrary files on the user's device. For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information. In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP, access user cookies, browsing history, bookmarks, list of installed extensions, extensions storage, and download arbitrary files on the user's device. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.Comment: 40th IEEE Symposium on Security and Privacy May 2019 Application security; Attacks and defenses; Malware and unwanted software; Mobile and Web security and privacy; Privacy technologies and mechanism

    EmPoWeb: Empowering Web Applications with Browser Extensions

    Get PDF
    International audienceBrowser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, credentials (cookies) and list of installed extensions. They have access to a permanent storage in which they can store data as long as they are installed in the user's browser. They can trigger the download of arbitrary files and save them on the user's device. For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information. In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP and access user data on any other web application, access user credentials (cookies), browsing history, bookmarks, list of installed extensions, extensions storage, and download and save arbitrary files in the user's device. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions

    Detecting Malicious Browser Extensions with Static Analysis

    Get PDF
    Σήμερα η χρήση επεκτάσεων είναι διαδεδομένη στους χρήστες όλων των μεγάλων μηχανών αναζήτησης όπως είναι ο Chrome. Παρατηρείται επίσης μεγάλη αύξηση του πλήθους των προσωπικών δεδομένων τα οποία διατηρούν οι μηχανές αναζήτησης και ως αποτέλεσμα γίνονται στόχος επιτιθέμενων οι οποίοι εκμεταλλεύονται τον τρόπο λειτουργίας των επεκτάσεων ώστε να συγκεντρώσουν διάφορες πληροφορίες από τον ανυποψίαστο χρήστη χωρίς την συγκατάθεσή του. Στόχος της πτυχιακής εργασίας είναι να δημιουργήσουμε μια επέκταση η οποία παρακολουθεί τη λειτουργικότητα μιας επέκτασης για τον εντοπισμό ύποπτων ενεργειών που ενδέχεται να παραβιάζουν το απόρρητο του χρήστη. Έχουμε εφαρμόσει την προσέγγισή μας ως μια επέκταση του Chrome. Ο τρόπος με τον οποίο λειτουργεί η επέκταση είναι αρχικά να συνδέεται με έναν Native Messaging Host[2], ο οποίος στέλνει την πληροφορία για τη ταυτότητα της επέκτασης που έχει επιλέξει ο χρήστης στην εφαρμογή. Η εφαρμογή με τη σειρά της θα κατεβάσει τον πηγαίο κώδικα της επέκτασης και θα εκτελέσει στατική ανάλυση πάνω στον κώδικα αυτό. Κάθε φορά που εντοπιστεί κάποια ύποπτη ενέργεια θα ενημερώσει τον χρήστη με αντίστοιχο προειδοποιητικό μήνυμα αλλά και το αρχείο στο οποίο εντοπίστηκε η ενέργεια.Today the use of extensions is widespread for users of all major web browsers such as Chrome. There is also a large increase in the number of personal data that search engines mediate, and as a result they become the target of attackers who take advantage of how extensions work to gather various information from the unsuspecting user without their consent. The goal of this thesis is to implement an extension that monitors the functionality of an extension to detect suspicious actions that may violate the user’s privacy. We have implemented our approach as a chrome extension. The way the extension works is the following: first, it initially connects to a Native Messaging Host[2], which sends information about the identity of the extension that the user has chosen to the (native) application. Then, the application will download the extension's source code and perform a static analysis of the code. Every time a suspicious action is detected, it will inform the user with a corresponding warning message and the file in which the action was detected

    Securing the Next Generation Web

    Get PDF
    With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found

    There’s a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets

    Get PDF
    Cloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy concerns. In fact, manag- ing access control at scale is often particularly hard, as the size and complexity rapidly increases, especially when the role of access policies is underestimated, resulting in dangerous misconfigurations. In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We developed a tool that automatically performs security checks of S3 buckets, without storing nor exposing any sensitive data. This tool is intended for developers, end-users, enterprises, and any other organization that makes extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large- scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in access control policies. The most concerning one is certainly the (unwanted) exposure of storage buckets: These can easily leak sensitive data, such as private keys, credentials and database dumps, or allow attackers to tamper with their resources. To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets. In fact, we identify 191 vulnerable websites. Finally, we propose a browser extension that prevents loading re- sources hosted in unsecured buckets, intended either for end-users, as a mitigation against vulnerable websites, and for developers and software testers, as a way to check for misconfigurations

    A Micro­Interaction Tool for Online Text Analysis

    Get PDF
    Mobile devices allow users to remain connected to the World in a ubiquitous way, creating new contexts of media use. Considering the structural changes in the journalistic market, media organizations are trying to lead this digital transition, (re)gaining the attention of the public [WS15]. This digital evolution can bring either many advantages or open the door to rushed journalism, such as the publication of fake news and malicious content, which can have critical effects on both individuals and society as a whole. For this reason, it’s becoming really important to fact­check the sources of information. Misinformation is incorrect or misleading information, which can lead to the distortion of people’s opinions on several matters and unintended consequences. Thus, fact­checking claims with reliable information from credible sources is perhaps the best way to fight the spread of misinformation. By double­checking a claim, you can verify whether or not it’s true. However, it’s important to use verifiable and reputable sources to fact­check that information, otherwise, you risk perpetuating the cycle [Ohi]. In order to help to fight this global issue, we can use the interaction from Internet users with the content producers/journalists, so those users can interact with Web content, validating, commenting, or expressing emotions about it to decrease the percentage of false, malicious or questionable content, as well as simultaneously create a profile of these same users and content producers, through the application of reputation rules. With this strategy, online content producers can get dynamic interaction and feedback from the public about the published content, so they can fact­check it and have a greater degree of truthfulness. This Master’s dissertation presents a Web tool that enables users to perform a fast factchecking, interacting with the media responsible for the news or text. This work, starts by presenting a study on the main tools and techniques that are being used in journalism for fact­check information. Then, it describes in detail the implementation process of the developed tool, that consists on a Web extension to help in this fact­checking domain. Finally, the dissertation presents an assessment and tests that were conducted to evaluate the feasibility of the solution.Os dispositivos móveis permitem que os utilizadores permaneçam conectados ao Mundo de forma ubíqua, criando novos contextos para o uso dos mídia. Diante as mudanças estruturais no mercado jornalístico, as organizações de mídia estão a tentar liderar esta transição digital, (re)ganhando a atenção do público [WS15]. Esta evolução digital pode trazer tanto muitas vantagens ou abrir a porta para o jornalismo apressado, como a publicação de notícias falsas e conteúdo malicioso, que pode ter efeitos críticos sobre os indivíduos e a sociedade como um todo. Por esse motivo, está a tornar­se cada vez mais importante verificar os factos das fontes de informação. A desinformação é informação incorreta ou enganosa, que pode levar à distorção das opiniões das pessoas sobre diversos assuntos e a consequências indesejadas. Portanto, a verificação de factos com informações de fontes confiáveis é talvez a melhor maneira de combater a disseminação de informações incorretas. É portanto muito importante utilizar fontes confiáveis para verificar os factos, caso contrário, corremos o risco de perpetuar o ciclo [Ohi]. Para ajudar a combater este problema global, podemos utilizar a interação dos utilizadores de Internet com os produtores/jornalistas de conteúdo, para que esses utilizadores possam interagir com o conteúdo da Web, validando, comentando ou expressando emoções sobre este, de forma a diminuir a percentagem de conteúdo falso, malicioso ou questionável, bem como simultaneamente criar um perfil desses mesmos utilizadores e produtores de conteúdo, através da aplicação de regras de reputação. Com esta estratégia, os produtores de conteúdo online podem obter uma interação dinâmica e feedback do público sobre o conteúdo publicado, para que possam verificar os factos e ter um maior grau de veracidade. Esta dissertação de mestrado apresenta uma ferramenta Web que permite aos utilizadores realizar uma verificação rápida de factos, interagindo com os mídia responsáveis por uma determinada notícia ou texto. Este trabalho começa por apresentar um estudo sobre as principais ferramentas e técnicas que estão a ser utilizadas no jornalismo para a verificação de factos. Em seguida, descreve detalhadamente o processo de implementação da ferramenta desenvolvida, que consiste numa extensão Web para auxiliar neste domínio de verificação de factos. Por fim, a dissertação apresenta alguns testes que foram realizados para avaliar a viabilidade da solução
    corecore