Securing Legacy Firefox Extensions with SENTINEL

Onarlıoğlu, Kaan; Battal, Mustafa; Robertson, William; Kirda, Engin

doi:10.1007/978-3-642-39235-1_7

Cited by 15 publications

(9 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another dynamic approach was proposed by Onarlioglu [28]. User can use pre-defined or his own security policies to prevent attacks such as remote code execution and password theft.…”

Section: Related Workmentioning

confidence: 99%

OPEXA: analyser assistant for detecting over‐privileged extensions

Khazaei

Homaei

Shahriari

2018

IET Information Security

View full text Add to dashboard Cite

“…Another dynamic approach was proposed by Onarlioglu [28]. User can use pre-defined or his own security policies to prevent attacks such as remote code execution and password theft.…”

Section: Related Workmentioning

confidence: 99%

OPEXA: analyser assistant for detecting over‐privileged extensions

Khazaei

Homaei

Shahriari

2018

IET Information Security

View full text Add to dashboard Cite

“…This paper is an extended version of the authors' previous work titled Securing Legacy Firefox Extensions with Sentinel [7].…”

Section: Related Workmentioning

confidence: 99%

“…This paper is an extended version of the authors' previous work titled Securing Legacy Firefox Extensions with Sentinel [7]. While the scope of our previous work is limited to proposing a defense against XPCOM-based extension attacks, this paper describes and addresses two additional attack classes (i.e., malicious XUL element manipulations and JavaScript namespace collision exploits) for achieving more comprehensive Firefox extension security.…”

Section: Introductionmentioning

confidence: 99%

SENTINEL: Securing Legacy Firefox Extensions

Onarlıoğlu

Buyukkayhan

Robertson

et al. 2015

Computers & Security

Self Cite

View full text Add to dashboard Cite

“…Due to their privileged position in browsers, it is well understood that extensions pose serious security and privacy threats to user data [7], [8], [9], [10], [11], [12], [13]. Therefore, in order to limit extensions capabilities, a mandatory permission system requires that extensions explicitly declare the set of APIs they effectively need to access.…”

Section: Introductionmentioning

confidence: 99%

EmPoWeb: Empowering Web Applications with Browser Extensions

Somé

2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, credentials (cookies) and list of installed extensions. They have access to a permanent storage in which they can store data as long as they are installed in the user's browser. They can trigger the download of arbitrary files and save them on the user's device.For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP and access user data on any other web application, access user credentials (cookies), browsing history, bookmarks, list of installed extensions, extensions storage, and download and save arbitrary files in the user's device.Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.

show abstract

Securing Legacy Firefox Extensions with SENTINEL

Cited by 15 publications

References 12 publications

OPEXA: analyser assistant for detecting over‐privileged extensions

OPEXA: analyser assistant for detecting over‐privileged extensions

SENTINEL: Securing Legacy Firefox Extensions

EmPoWeb: Empowering Web Applications with Browser Extensions

Contact Info

Product

Resources

About