Defeat Information Leakage from Browser Extensions via Data Obfuscation

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8233)


Today web browsers have become the de facto platform for Internet users. This makes browsers the target of a lot of attacks. With the security considerations from the very beginning, Chrome offers more protection against exploits via benign-but-buggy extensions. However, more and more attacks have been launched via malicious extensions while there is no effective solution to defeat such malicious extensions. As user’s sensitive information is often the target of such attacks, in this paper, we aim to proactively defeat information leakage with our iObfus framework. With iObfus, sensitive information is always classified and labeled automatically. Then sensitive information is obfuscated before any IO operation is conducted. In this way, the users’ sensitive information is always protected even information leakage occurs. The obfuscated information is properly restored for legitimate browser transactions. A prototype has been implemented and iObfus works seamlessly with the Chromium 25. Evaluation against malicious extensions shows the effectiveness of iObfus, while it only introduces trivial overhead to benign extensions.


Browser Extension Chrome Data Obfuscation Information Leakage Threats 


  1. 1.
  2. 2.
    QhaoserHq, an open-source attack toolkit for Facebook,
  3. 3.
  4. 4.
    Barth, A., Jackson, C., Reis, C., Team, T.G.C.: The security architecture of the chromium browser. In Stanford Technical Report (2008)Google Scholar
  5. 5.
    Barth, A.: More secure extensions, by default (February 2012),
  6. 6.
    Carlini, N., Felt, A.P., Wagner, D.: An Evaluation of the Google Chrome Extension security architecture. In: Proc. of the 21st USENIX Security Symposium (2012)Google Scholar
  7. 7.
    Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome Extensions: Threat Analysis and Countermeasures. In: Network and Distributed System Security Symposium, NDSS (2012)Google Scholar
  8. 8.
    Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: Proc. of the 19th USENIX Security Symposium (2010)Google Scholar
  9. 9.
  10. 10.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proc. of Network and Distributed System Security Symposium, NDSS (2010)Google Scholar
  11. 11.
    Felt, A.P., Greenwood, K., Wagner, D.: The Effectiveness of Application Permissions. In: USENIX Conference on Web Application Development, WebApps (2011)Google Scholar
  12. 12.
  13. 13.
    Chromium blog. A year of extensions,
  14. 14.
    Wuest, C., Florio, E.: Firefox and Malware: When Browsers Attack (2009),
  15. 15.
    Assolini, F.: Think twice before installing Chrome extensions,
  16. 16.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Proc. of Annual Computer Security Applications Conference (2009)Google Scholar
  17. 17.
    Rogue Chrome Extension racks up Facebook “likes” for online bandits,
  18. 18.
    Health information privacy,
  19. 19.
    Chesapeake irb,
  20. 20.
  21. 21.
    Karim, R., Dhawan, M., Ganapathy, V., Shan, C.-C.: An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: Proc. of the 19th USENIX Security Symposium (2010)Google Scholar
  23. 23.
    Guarnieri, S., Livshits, B.: GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In: Proc. of the 18th Conference on USENIX Security Symposium (2009)Google Scholar
  24. 24.
    Martin Jr., D.M., Smith, R.M., Brittain, M., Fetch, I., Wu, H.: The privacy practices of web browser extensions. Communications of the ACM (2001)Google Scholar
  25. 25.
  26. 26.
    Kotowicz, K., Osborn, K.: Advanced Chrome extension exploitation leveraging API powers for better evil. Black Hat, USA (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  1. 1.Department of Computer ScienceGeorge Mason UniversityFairfaxU.S.A.

Personalised recommendations