Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

The Evil Friend in Your Browser - An Update

On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties. The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a “juice target” for attackers targeting web users.

Missed our AppSecEU talk on the security risk of browser extensions? or do you want to learn what happened during the last months? Your are lucky! We will give an updated version of our talk next weekend at the SteelCon conference in Sheffield! Update: you can also watch the recording of our talk!.

In our talk, we present results of analyzing over 2500 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.

Supplementary Material

Welcome to the blog of the Software Assurance & Security Research Team at The University of Sheffield. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.




academia appsec bitcoin browserextensions browsersecurity chrome cordova dast devops devsecops event extensions fixeffort floss hol-ocl hol-testgen hybridapps iast industry iot isabelle/hol logic malicous mbst mobile modeling monads ocl opensource owasp research sap sast sdlc secdevops security securityengineering securitytesting staff&positions test&proof testing tips&tricks tools tuos uk verification webinar websecurity


blog whole site