Advertisement

Desktop Browser Extension Security and Privacy Issues

  • Steven UrsellEmail author
  • Thaier Hayajneh
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)

Abstract

Since their introduction in the 1990’s, users have adopted internet browsers as a convenient method of interacting with computers and servers whether collocated with the user or located across the planet. As browsers have become more sophisticated, additional capabilities have been made available to users through browser extensions. When written by trusted agents, these browser extensions provide safeguards for users, but browser extensions can also be written so that a user’s data can be extracted and used for purposes the user would never agree to. This paper began with the exploration of extensions in four popular browsers: Safari, Firefox, Chrome, and Internet Explorer (Edge) and the author explored the security and privacy practices inherent within the extensions, but only two of these browsers will be examined in this paper. Safari is eliminating all extensions outside of its tightly controlled delivery system beginning with the debut of its new operating system in September 2018 and Internet Explorer is being replaced by Edge, which is also tightly controlled by Microsoft. Presumably, Safari and Edge extensions will be secure once the developers submit the code and it is reviewed before the extensions are published. Because there are literally thousands of browser extensions it is not possible to examine all of them in a single paper, but it is the intent of the author to establish an evaluation framework so browser extensions can be objectively scored.

Keywords

Extension Malware Security Privacy 

References

  1. 1.
    StatCounter: Desktop browser market share worldwide. StatCounter, 24 July 2018. [Online]. Available http://gs.statcounter.com/browser-market-share. Accessed 24 July 2018
  2. 2.
    Chaffin, B.: Apple Releases Safari 12 for High Sierra and Sierra, Combats Ad-Tracking and Increases Security, The Mac Observer, 17 Sept 2018. [Online]. Available https://www.macobserver.com/news/product-news/safari-12-macos-ad-tracking-security/. Accessed 27 Sept 2018
  3. 3.
    Golubovic, N.: Attacking browser extensions, 3 May 2016. [Online]. Available https://golubovic.net/thesis/master.pdf. Accessed 25 July 2018
  4. 4.
    Hoffman, C.: Beginner Geek: everything you need to know about browser extensions, How-To Geek, 1 Aug 2013. [Online]. Available https://www.howtogeek.com/169080/beginner-geek-everything-you-need-to-know-about-browser-extensions/. Accessed 25 July 2018
  5. 5.
    Dornhackl, H., Kadletz, K., Luh, R., Tavolato, P.: Defining malicious behavior. In: 2014 Ninth International Conference on Availability, Reliability and Security, Fribourg, Switzerland (2014)Google Scholar
  6. 6.
    Cisco: Cisco 2017 Midyear Cybersecurity Report, July 2017. [Online]. Available https://www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/cisco-2017-midyear-cybersecurity-report.pdf. Accessed 25 July 2018
  7. 7.
    Bandhakavi, S., Tiku, N., Pittman, W., King, S., Madhusudan, P., Winslett, M.: VEX: Vetting Browser Extensions For Security Vulnerabilities, pp. 91–99. Association for Computing Machinery, Sept 2011Google Scholar
  8. 8.
    Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of the 23rd Usenix Security Symposium, San Diego (2014)Google Scholar
  9. 9.
    Liu, L., Zhang, X., Uan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: 19th Network and Distributed System Security Symposium (NDSS ’12). San Diego, California (2012)Google Scholar
  10. 10.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities, 18 Dec 2009. [Online]. Available http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.378.8542&rep=rep1&type=pdf. Accessed 26 July 2018
  11. 11.
    Schuh, J.: Saying Goodbye to Our Old Friend NPAPI, Google, 23 Sept 2013. [Online]. Available https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html. Accessed 1 August 2018
  12. 12.
    Beaucamps, P., Reynaud, D.: Malicious firefox extensions. In: Symposium sur la scurit des techniques d’information et de communication. Rennes, France (2008)Google Scholar
  13. 13.
    Ter Louw, M., Lim, J., Venkatakrishnan, V.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)CrossRefGoogle Scholar
  14. 14.
    Henry, A.: The best browser extensions that protect your privacy, Lifehacker, 31 Aug 2015. [Online]. Available https://lifehacker.com/the-best-browser-extensions-that-protect-your-privacy-479408034. Accessed 26 July 2018
  15. 15.
    Burlacu, A.: Browser Extension Secretly Stole Chrome And Firefox Users’ Entire Browsing History, TechTimes, 5 July 2018. [Online]. Available https://www.techtimes.com/articles/231851/20180706/browser-extension-secretly-stole-chrome-and-firefox-users-entire-browsing-history.htm. Accessed 26 July 2018
  16. 16.
    Osborne, C.: Firms buy popular Chrome extensions to inject malware, ads, ZDNet, 20 Jan 2014. [Online]. Available https://www.zdnet.com/article/firms-buy-popular-chrome-extensions-to-inject-malware-ads/. Accessed 26 July 2018
  17. 17.
    Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 32nd IEEE Symposium on Security and Privacy, Berkley, California (2011)Google Scholar
  18. 18.
    Cobb, M.: Web browser extension security: Mitigating browser plug-in threats, SearchSecurity, Nov 2013. [Online]. Available https://searchsecurity.techtarget.com/tip/Web-browser-extension-security-Mitigating-browser-plug-in-threats. Accessed 26 July 2018
  19. 19.
    Constantin, L.: Researcher to demonstrate feature-rich malware that works as a browser extension, ComputerWorld, 24 Oct 2012. [Online]. Available https://www.computerworld.com/article/2492866/desktop-apps/researcher-to-demonstrate-feature-rich-malware-that-works-as-a-browser-extension.html. Accessed 26 July 2018
  20. 20.
    Martin, D., Smith, R., Brittain, M., Fetch, I., Wu, H.: The privacy practices of Web browser extensions. Commun. ACM 44(2), 45–50 (2001)CrossRefGoogle Scholar
  21. 21.
    Kyrnin, J.: How to Use the HTTP Referer, LifeWire, 4 Apr 2018. [Online]. Available https://www.lifewire.com/how-to-use-http-referer-3471200. Accessed 26 July 2018
  22. 22.
    Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: International World Wide Web Conference Committee, Perth, Australia (2017)Google Scholar
  23. 23.
    Reeder, R., Porter, A., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems Paper, Montreal, Canada (2018)Google Scholar
  24. 24.
    Hoffman, C.: Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program, How-To Geek, 2 Aug 2013. [Online]. Available https://www.howtogeek.com/169139/sandboxes-explained-how-theyre-already-protecting-you-and- how-to-sandbox-any-program/. Accessed 1 Aug 2018
  25. 25.
    Madrigal, A.: Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, The Atlantic, 1 Mar 2012. [Online]. Available https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/. Accessed 1 Aug 2018
  26. 26.
    CreditCards: Study: Credit card agreements unreadable to most Americans, CreditCards, 16 Sept 2016. [Online]. Available https://www.creditcards.com/credit-card-news/unreadable-card-agreements-study.php. Accessed 1 Aug 2018
  27. 27.
    Knight, J.: Add New Functionality to Your Browser with Extensions, Gadget Hacks, 18 Dec 2017. [Online]. Available https://android.gadgethacks.com/how-to/firefox-mobile-101-add-new-functionality-your-browser-with-extensions-0181656/. Accessed 24 July 2018

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Fordham Center for Cybersecurity, Fordham UniversityNew YorkUSA

Personalised recommendations