Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Browser Extension Compromise
Caroline Sheng
Outline � Introduction
� Privileges and Permissions
� Malware extensions
� Security Threats
� Human Factors
� Problems
� Where do we go from here?
� What can you do?
Introduction � What are browser extensions?
� A piece of software
� What do they do? � Extend functionality of web browsers
� Who can create them? � Basically anyone � Many popular extensions are written by third party
developers
Extension Statistics � Popular examples:
� AdBlock – 40 million users on Chrome
� TamperMonkey – 10,000,000+ users � Google Mail Checker – 5,000,000+ users on Chrome
� In 2011, 85% of Firefox users had at least one extension installed
Source: Chrome Web Store
Privileges and Permissions � Privileges: how much access does the extension
have to your browser
� Extensions often require high privileges, which can put users at risk
Privileges and Permissions (cont.)
� Until 2017, all Firefox extensions were allowed complete browser privileges � Allowed file system and network access
� Did not follow practice of least privilege: Restricting access to only the resources required to perform activities
Permission Systems � Now, Firefox, Chrome, and Internet Explorer all have
similar permission systems: � Developers: must define what privileges their
extension requires � Users: are notified of what permissions an extension
requires before installing it
Permission Warning
� Tampermonkey: provides environment for users to write small scripts to modify browser behavior
More privileges required
� Web Developer: Adds a toolbar to browser with web development tools
“Read and change all your data on the websites you visit” � Sounds like dangerously high privilege � Actually is a required permission for many legitimate
extensions
� Some extensions have even broader permissions
What’s wrong with this? � The nature of many browser extensions (both
legitimate and not) requires them to have almost completely unrestrained access
� Once installed, extension code is fully trusted by browser, even though they are essentially third-party code
� Offers an easy attack vector for those with malicious intent
So what? � Some browser extensions have been downloaded by
millions of users
� If a browser extension is compromised, all users may be affected
A brief look at malware extensions
What malicious extensions are capable of
Malware Extensions � More common than we think:
� An analysis by security researchers of 48,000 Chrome extensions in 2014 found � 130 outright malicious extensions
� 4,712 suspicious extensions
� The malicious extensions engaged in a variety of: � Affiliate fraud
� Credential theft
� Advertising fraud
� Social network abuse
Malware Extensions (cont.) � Examples of malware extensions:
� FormSpy – 2006 � Trojan which installed itself as a legitimate Firefox
extension.
� Intercepts password and credit card numbers entered into browser
� Interface Online – 2017 � Bank fraud scam
� Logged username and passwords entered into forms
� Was available for two weeks before being taken down by Google
Security Threats How are browser extensions compromised?
Security Threats � Benign extensions hacked
� Code Vulnerabilities
� Social Engineering
� Extensions bought, sold, and changed � Popular extension developers offered significant sums
to sell their extension to suspicious parties
Code Vulnerabilities � At DEFCON 2009, Liverani and Freeman
demonstrated attacks against a number of popular Firefox extensions
� Many of the vulnerabilities found were among the OWASP Top 10
� Ex: “if a user dragged an image from a malicious web page into the extension, the web site operator could install a remote desktop server on the user’s machine and take control of the user’s mouse and keyboard” [2]
Social Engineering � Example: August 2017, Web Developer extension
updated to supply adware to users because the creator (Chris Pederick) fell for a phishing attack
� One of the ads displayed by a fraudulently updated version of Web Developer extension for Chrome
Source: [6] Ars Technica
Extension Ownership: Particle
� In July 2017, Chrome extension Particle sold by original developer to another party, who promptly turned it into adware
An extension update � Chrome’s permission system meant users were
informed that a new update to Particle required new permissions it had never required before: � “Read and change data on (all) websites visited” � “Manage apps, extensions, and themes”
� However, many users still accepted the new update and were then bombarded by ads
� New owner added code to inject ads such as Google, Bing, Amazon, eBay
Source: [4] BleepingComputer
Lack of Transparency � A trusted extension introduced adware in a
subsequent update
� Users were not notified of the change in ownership
� Users believed extension was safe, and accepted the update. Allowing Particle the privileges it required to insert ads
Human Factors: Developers � Extensions can be very simple to create, many treat
it as a hobby
� Most extension developers are not security experts
� Unaware of danger of vulnerable extensions
Human Factors: Reviewers � Guidelines for accepting or rejecting extensions
focus more on malicious extensions
� Vulnerable extensions very easily slip through the net
Human Factors: Users � Users believe extensions are inherently safe
� Often install extensions without checking
� Unaware that extensions are often created by third party developers
Problems (Summary) � There is no standard secure framework for creating
extensions
� Extensions are not evaluated for vulnerabilities before being released to the public
� Users have no way of defending themselves if a trusted extension they have installed is hacked
Where do we go from here? � In security research:
� HULK: a dynamic analysis system presented at the USINEX 2014 Security Symposium � Detects malicious behavior in browser extensions by
monitoring their execution and corresponding network activity
� VEX: “a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to extension Javascript code”
What can you do? � Developers:
� Follow OWASP Top 10 guide
� Be wary of allowing others access/control to your extension
� Users: � Carefully evaluate extensions before deciding to
install or update them � Don’t install unnecessary extensions
References � [1] Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett. VEX: Vetting
Browser Extensions For Security Vulnerabilities. Communications of the ACM, v.54 n.9, 2011.
� [2] Adam Barth, Adrienne Porter Felt, Prateek Saxena Aaron Boodman. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS Symposium 2010).
� [3] Martin Brinkmann. gHacks Technology News. Firefox’s new WebExtensions permission system. URL: https://www.ghacks.net/2017/03/06/firefoxs-new-webextensions-permission-system/
� [4] Catalin Cimpanu. BleepingComputer. URL: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/
� [5] Chromium Blog: December 2013. URL: https://blog.chromium.org/2013/12/keeping-chrome-extensions-simple.html
� [6] Dan Goodin. Ars Technica. After phishing attacks, Chrome extensions push adware to millions. URL: https://arstechnica.com/information-technology/2017/08/after-phishing-attacks-chrome-extensions-push-adware-to-millions/
� [7] Dan Goodin. Ars Technica. Bank-fraud malware not detected by any AV hosted in Chrome web store. Twice. URL: https://arstechnica.com/information-technology/2017/08/bank-fraud-malware-not-detected-by-any-av-hosted-in-chrome-web-store-twice/
� [8] C. Grier, S. T. King, and D. S. Wallach. How I Learned to Stop Worrying and Love Plugins. In Web 2.0 Security and Privacy, 2009.
� [9[Alexandros Kapravelos, Chris Grier, Neha Chachra, Chris Kruegel, Giovanni Vigna, and Vern Paxson. Hulk: Eliciting malicious behavior in browser extensions. In Proceedings of the USENIX Security Symposium, 2014.
� [10] R. S. Liverani and N. Freeman. Abusing Firefox Extensions. DEFCON17, July 2009
� [11] Lee Matthews. Forbes. Over A Million Coders Targeted By Chrome Extension Hack. URL: https://www.forbes.com/sites/leemathews/2017/08/03/over-a-million-coders-targeted-by-chrome-extension-hack/#5d5d3c289c9d
� [12] Mozilla Add-ons Blog. June 2011. URL: https://blog.mozilla.org/addons/2011/06/21/firefox-4-add-on-users/
� [13] Particle Core. Particle. Github Repository. URL: https://github.com/ParticleCore/Particle/issues/528
� [14] Adrienne Porter Felt. Least Privilege for Browser Extensions. Master’s thesis. University of California, Berkeley