DocumentCode :
1782735
Title :
Analyzing the dangers posed by Chrome extensions
Author :
Bauer, Lujo ; Shaoying Cai ; Limin Jia ; Passaro, Timothy ; Yuan Tian
Author_Institution :
Carnegie Mellon Univ., Pittsburgh, PA, USA
fYear :
2014
fDate :
29-31 Oct. 2014
Firstpage :
184
Lastpage :
192
Abstract :
A common characteristic of modern web browsers is that their functionality can be extended via third-party add-ons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extension´s privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out.
Keywords :
Web sites; application program interfaces; online front-ends; security of data; API; Chrome extension; Web browsers; Web sites; Web-based services; danger analysis; local file system; low-level information; network requests; third-party add-ons; Browsers; Communication networks; Conferences; History; Security; Web pages;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Communications and Network Security (CNS), 2014 IEEE Conference on
Conference_Location :
San Francisco, CA
Type :
conf
DOI :
10.1109/CNS.2014.6997485
Filename :
6997485
Link To Document :
بازگشت