The Evil Friend in Your Browser

By Achim D. Brucker and Michael Herzberg.

On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties. The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.

We present results of analysing over 2500 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.

Please cite this work as follows:
A. D. Brucker and M. Herzberg, “The evil friend in your browser,” presented at the OWASP AppSec EU, Belfast, UK, May 11, 2017. Author copy: http://logicalhacking.com/publications/talk-brucker.ea-owasp-evil-friend-2017/

BibTeX
@Unpublished{ talk:brucker.ea:owasp-evil-friend:2017,
  date              = {2017-05-11},
  title             = {The Evil Friend in Your Browser},
  author            = {Achim D. Brucker and Michael Herzberg},
  venue             = {Belfast, UK},
  eventtitle        = {OWASP AppSec EU},
  abstract          = {On the one hand, browser extensions, e.g., for Chrome, are
                       very useful, as they extend web browsers with additional
                       functionality (e.g., blocking ads). On the other hand, they
                       are the most dangerous code that runs in your browsers:
                       extension can read and modify both the content displayed in
                       the browser. As they also can communicate with any web-site or
                       web-service, they can report both data and metadata to
                       external parties. The current security model for browser
                       extensions seems to be inadequate for expressing the security
                       or privacy needs of browser users. Consequently, browser
                       extensions are a "juice target" for attackers targeting web
                       users.
                       
                       We present results of analysing over 2500 browser extensions
                       on how they use the current security model and discuss
                       examples of extensions that are potentially of high risk.
                       Based on the results of our analysis of real world browser
                       extensions as well as our own threat model, we discuss the
                       limitations of the current security model form a user
                       perspective. need of browser users.},
  slideshare        = {key/kJCkWqdV9RJYFd},
  video             = {https://youtu.be/3r0u8YpiDTY},
  slideshare_width  = {595},
  slideshare_height = {485},
  areas             = {security, software},
  note              = {Author copy: \url{http://logicalhacking.com/publications/talk-brucker.ea-owasp-evil-friend-2017/}},
}