Researchers Win Best Paper With New Work on Browser Extension Vulnerability
9/1/2010 5:22:00 AM
All four of today’s most popular web browsers - Internet Explorer, Firefox, Safari, and Chrome - support extensions, pieces of software from third parties that function inside of a browser and add functionality. Since these extensions are usually promoted through online marketplaces for each browser, they are extremely easy to find and install. Because they are are often advertised by and downloaded from the websites of trustworthy companies like Google and Mozilla, users inherently trust the extensions themselves.
A team of Illinois computer science researchers suggest that in many cases, this trust might be misplaced. In a research paper entitled “VEX: Vetting Browser Extensions For Security Vulnerabilities”, Sruthi Bandhakavi, an Illinois PhD student co-advised by Marianne Winslett and P. Madhusudan and helped by Sam T. King, outlines how subtle vulnerabilities in browser extensions could lead to disastrous attacks. The work won the best paper award at the 19th USENIX Security Symposium held at Washington D.C., an event that brings researchers, programmers, and others interested in the latest security advancements together.
What do we have to worry about? “Firefox extensions run with full browser privileges, so attackers can potentially exploit extension weaknesses to take over the browser, steal cookies or protected passwords, compromise confidential information, or even hijack the host system, without revealing their actions to the user,” says Bandhakavi. Essentially, installing one of these vulnerable extensions is like opening a doorway to sites with malicious intent who know how to exploit those weaknesses. Even more unfortunate is that this type of attack can’t be found or stopped by antivirus software.
“The main target of this work is the extension editors (people who vet extensions before they are made public), who could use this tool to analyze thousands of extensions simultaneously,” claims Bandhakavi. The people controlling the extension marketplaces (Google, Apple, etc) often don’t have the tools to extensively test these extensions adds Prof. Parthasarathy. Put that together and it’s easy to see that the the aim of their framework is to “help [these companies] find the vulnerabilities before they affect the populace at large” by making it easier and faster to do so. That said, Bandhakavi hopes her work can also help to educate extensions developers in understanding ways their code could be compromised.
While her program only works on Firefox extensions currently, Bandhakavi plans to modify it to also analyze Chrome extensions next.