Top

Published in:

2019 | OriginalPaper | Chapter

Wild Extensions: Discovering and Analyzing Unlisted Chrome Extensions

Authors : Aidan Beggs, Alexandros Kapravelos

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

With browsers being a ubiquitous, if not required, method to access the web, they represent a unique and universal threat vector. Browsers can run third-party extensions virtually invisibly in the background after a quick install. In this paper, we explore the abuse of browser extensions that achieve installations via suspicious methods. We scan the web for links to extension installations by performing a web crawling of the Alexa top 10,000 websites with recursive sub-page depth of 4 and leverage other tools to search for artifacts in the source code of webpages. We discover pages that have links to both listed and unlisted extensions, many times pointing to multiple different extensions that share the same name. Using this data, we were able to find 1,097 unlisted browser extensions ranging from internal directory lookup tools to hidden Google Docs extensions that pose a serious threat to their 127 million users.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild

https://chrome.google.com/webstore/detail/lodjfjlkodalimdjgncejhkadjhacgki.

https://chrome.google.com/webstore/detail/bnomihfieiccainjcjblhegjgglakjdd.

An example would be this extension: https://chrome.google.com/webstore/detail/save-to-google-drive/gmbmikajjgmnabiglmofipeabaddhgne?hl=en.

https://developers.chrome.com/extensions/permission_warnings#update_permissions.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1555.

https://bugs.chromium.org/p/chromium/issues/detail?id=827288.

Beautiful soup: we called him tortoise because he taught us. https://www.crummy.com/software/BeautifulSoup/

Mystique extension analysis engine. https://mystique.csc.ncsu.edu/

PhantomJS - scriptable headless browser. http://phantomjs.org/

RQ: Simple jobs queues for Python. http://python-rq.org/

Selenium - web browser automation. https://www.seleniumhq.org/

Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P) (2018)

Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2018)

Google: Alternative Extension Distribution Options - Google Chrome. https://developer.chrome.com/apps/external_extensions

Google: Chrome Permission Warnings. https://developer.chrome.com/apps/permission_warnings

10.

Google: declare permissions and warn users - Google Chrome. https://developers.chrome.com/extensions/permission_warnings#permissions_with_warnings

11.

Google security blog: trustworthy chrome extensions, by default. https://security.googleblog.com/2018/10/trustworthy-chrome-extensions-by-default.html

12.

Gulyas, G.G., Some, D.F., Bielova, N., Castelluccia, C.: To extend or not to extend: on the uniqueness of browser extensions and web logins. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society. WPES 2018 (2018)

13.

Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of USENIX Security Symposium (2014)

14.

Sanchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: Proceedings of USENIX Security Symposium (2017)

15.

Sjösten, A., Van Acker, S., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: Proceedings of the ACM on Conference on Data and Application Security and Privacy (CODASPY) (2017)

16.

Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International World Wide Web Conference (WWW) (2017)

17.

Starov, O., Nikiforakis, N.: XHOUND: quantifying the fingerprintability of browser extensions. In: Proceedings of the IEEE Symposium on Security and Privacy (2017)

18.

Thomas, K., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: Proceedings of the IEEE Symposium on Security and Privacy (2015)

19.

Weissbacher, M., Mariconti, E., Suarez-Tangil, G., Stringhini, G., Robertson, W., Kirda, E.: Ex-ray: detection of history-leaking browser extensions. In: Proceedings of the ACM Annual Computer Security Applications Conference (ACSAC) (2017)

20.

Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the International Conference on World Wide Web (WWW) (2015)

Title: Wild Extensions: Discovering and Analyzing Unlisted Chrome Extensions
Authors: Aidan Beggs
Alexandros Kapravelos
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner