Gummy Browsers: Targeted Browser Spoofing Against State-of-the-Art Fingerprinting Techniques

Liu, Zengrui; Shrestha, Prakash; Saxena, Nitesh

doi:10.1007/978-3-031-09234-3_8

Cited by 4 publications

(1 citation statement)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, much work has been conducted on devising defensive and mitigatory measures [7,9,14,15,22,25,31,49]. Finally, literature has focused on the utilisation of fingerprinting as a tool for streamlining user authentication [1,37,38], although, some have highlighted the security limitations of such methods [26,27].…”

Section: Browser Fingerprintingmentioning

confidence: 99%

From Manifest V2 to V3: A Study on the Discoverability of Chrome Extensions

Bucci,

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Browser extensions allow users to customise and improve their web browsing experience. The Manifest protocol was introduced to mitigate the risk of accidental vulnerabilities in extensions, introduced by inexperienced developers. In Manifest V2, the introduction of webaccessible resources (WARs) limited the exposure of extension files to web pages, thereby reducing the potential for exploitation by malicious actors, which was a significant risk in the previous unrestricted access model. Building on this, Manifest V3 coupled WARs with match patterns, allowing extension developers to precisely define which websites can interact with their extensions, thereby limiting unintended exposures and reducing potential privacy risks associated with websites detecting user-installed extensions. In this paper, we investigate the impact of Manifest V3 on WAR-enabled extension discovery by providing an empirical study of the Chrome Web Store. We collected and analysed 108,416 extensions and found that Manifest V3 produces a relative reduction in WAR detectability ranging between 4% and 10%, with popular extensions exhibiting a higher impact. Additionally, our study revealed that 30.78% of extensions already transitioned to Manifest V3. Finally, we implemented X-Probe, a live demonstrator showcasing WAR-enabled discovery. Our evaluation shows that our demonstrator can detect 22.74% of Manifest V2 and 18.3% of Manifest V3 extensions. Moreover, within the 1000 most popular extensions, the detection rates rise to a substantial 58.07% and 47.61%, respectively. In conclusion, our research shows that developers commonly associate broad match patterns to their WARs either because of poor security practices, or due to the inherent functional requirements of their extensions.

show abstract