Colluding browser extension attack on user privacy and its implication for web browsers

摘要

Browser functionality can be widely extended by browser extensions. One of the key features that make browser extensions so powerful is that they run with "high" privileges. As a consequence, a vulnerable or malicious extension might expose the resources to possible attacks such as privilege escalation, information stealing, and session hijacking. We consider as resources the browser components or the system resources accessed through the browser extensions. In addition, an extension can even interact with other installed extensions to perform various tasks such as share information, notify events, and change preferences. In this paper, we extend the concept of colluding extension discussed in the literature. Furthermore, we demonstrate a new attack that can leverage this concept and cause privacy leakage in a web browser. The communication between extensions permit two extensions to collude with each other, and share objects that are allocated in the same address space. As improvement on the work discussed in the literature, we show the way in which colluding extensions can communicate over overt and covert communication channels for executing colluding attacks. In addition, we test the effectiveness of newly identified attacks against representative state-of-art techniques for browser extensions. In particular, we identify: (a) object reference sharing; (b) event notification; and (c) preference overriding as the vulnerable points in the browser extension system. We illustrate the effectiveness of the proposed attack through colluding extensions using various attack scenarios, and we provide a proof-of-concept implementation for web domains including the banking and shopping domains. We believe that the use-case scenarios we consider in our demonstration further underlines the severity of the presented attack. Finally, we discuss possible mitigation techniques to address the given colluding attack.