Towards Improving Browser Extension Permission Management and User Awareness

Marouf, Said; Shehab, Mohamed

doi:10.4108/icst.collaboratecom.2012.250642

Cited by 4 publications

(2 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Proposals in this category require users to trust one particular extension and install it consciously. Marouf et al proposed a run-time framework called REM that monitors the access made by extensions and provides customized permission [11]. They developed an extension for monitoring other extension based on REM.…”

Section: Related Workmentioning

confidence: 99%

“…Existing solutions to prevent malicious extensions generally involve changing the browser's internal design [4], [5], [6], strengthening the vetting process of repositories [2], [7], [8], [9], [10], asking users to install yet another (trusted) extension that detects malicious behaviour of other extensions [11], [12] or requiring an external hardware device (e.g., Cronto) that performs out-of-band transaction verification.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DOMtegrity: ensuring web page integrity against malicious browser extensions

Toreini

Shahandashti

Mehrnezhad

et al. 2019

Int. J. Inf. Secur.

View full text Add to dashboard Cite

In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. However, the importance of the “integrity” of the web content has received little attention. We implement two attacks on real-world online banking websites and show that ignoring the “integrity” of the web content can fundamentally defeat two-factor solutions. To address this problem, we propose a cryptographic protocol called DOMtegrity to ensure the end-to-end integrity of the DOM structure of a web page from delivering at a web server to the rendering of the page in the user’s browser. DOMtegrity is the first solution that protects DOM integrity without modifying the browser architecture or requiring extra hardware. It works by exploiting subtle yet important differences between browser extensions and in-line JavaScript code. We show how DOMtegrity prevents the earlier attacks and a whole range of man-in-the-browser attacks. We conduct extensive experiments on more than 14,000 real-world extensions to evaluate the effectiveness of DOMtegrity.

show abstract

Section: Related Workmentioning

confidence: 99%