Browser extensions are third party programs, tightly integrated to browsers,
where they execute with elevated privileges in order to provide users with
additional functionalities. Unlike web applications, extensions are not subject
to the Same Origin Policy (SOP) and therefore can read and write user data on
any web application. They also have access to sensitive user information
including browsing history, bookmarks, cookies and list of installed
extensions. Extensions have a permanent storage in which they can store data
and can trigger the download of arbitrary files on the user's device. For
security reasons, browser extensions and web applications are executed in
separate contexts. Nonetheless, in all major browsers, extensions and web
applications can interact by exchanging messages. Through these communication
channels, a web application can exploit extension privileged capabilities and
thereby access and exfiltrate sensitive user information. In this work, we
analyzed the communication interfaces exposed to web applications by Chrome,
Firefox and Opera browser extensions. As a result, we identified many
extensions that web applications can exploit to access privileged capabilities.
Through extensions' APIS, web applications can bypass SOP, access user cookies,
browsing history, bookmarks, list of installed extensions, extensions storage,
and download arbitrary files on the user's device. Our results demonstrate that
the communications between browser extensions and web applications pose serious
security and privacy threats to browsers, web applications and more importantly
to users. We discuss countermeasures and proposals, and believe that our study
and in particular the tool we used to detect and exploit these threats, can be
used as part of extensions review process by browser vendors to help them
identify and fix the aforementioned problems in extensions.Comment: 40th IEEE Symposium on Security and Privacy May 2019 Application
security; Attacks and defenses; Malware and unwanted software; Mobile and Web
security and privacy; Privacy technologies and mechanism