Privacy Leakage Attacks in Browsers by Colluding Extensions
作者: Anil Saini , Manoj Singh Gaur , Vijay Laxmi , Tushar Singhal , Mauro Conti
DOI: 10.1007/978-3-319-13841-1_15
关键词: Web application 、 File system 、 Privilege escalation 、 Computer science 、 Personalization 、 Computer security
摘要: Browser Extensions (BE) enhance the core functionality of and provide customization to it. extensions enjoy high privileges, sometimes with same privileges as itself. As a consequence, vulnerable or malicious extension might expose system resources attacks. This may put at risk unwanted operations, privilege escalation etc. BE can snoop on web applications, launch arbitrary processes, even access files from host file system. In addition that, an collude other installed share objects change preferences. Although well-intentioned, developers are often not security experts. Hence, they end up writing code. this paper we present new attacks via extensions. particular, attack allows two communicate collaborate each in such way achieve goal. We identify points development framework as: (a) object reference sharing, (b) preference overriding. illustrate effectiveness proposed using various scenarios. Furthermore, proof-of-concept illustration for domains including Banking & shopping. believe that scenarios use use-case demonstration underlines severity presented attack. Finally, also contribute initial address
springer.com
core.ac.uk
sci-hub.se 参考文章(9)
Nattakant Utakrit, Review of Browser Extensions, a Man-in-the-Browser Phishing Techniques Targeting Bank Customers ,(2009) , 10.4225/75/57B4164330DF2
Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, Marianne Winslett, Vetting browser extensions for security vulnerabilities with VEX Communications of the ACM. ,vol. 54, pp. 91- 99 ,(2011) , 10.1145/1995376.1995398
Timothy Dougan, Kevin Curran, Man in the Browser Attacks International Journal of Ambient Computing and Intelligence. ,vol. 4, pp. 29- 39 ,(2012) , 10.4018/JACI.2012010103
Mike Ter Louw, Jin Soon Lim, V. N. Venkatakrishnan, Extensible Web Browser Security Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 1- 19 ,(2007) , 10.1007/978-3-540-73614-1_1
Mohan Dhawan, Vinod Ganapathy, Analyzing Information Flow in JavaScript-Based Browser Extensions annual computer security applications conference. pp. 382- 391 ,(2009) , 10.1109/ACSAC.2009.43
Anil Saini, Manoj Singh Gaur, Vijay Laxmi, The darker side of Firefox extension Proceedings of the 6th International Conference on Security of Information and Networks - SIN '13. pp. 316- 320 ,(2013) , 10.1145/2523514.2527011
Daniel Hedin, Arnar Birgisson, Luciano Bello, Andrei Sabelfeld, JSFlow: tracking information flow in JavaScript and its APIs acm symposium on applied computing. pp. 1663- 1671 ,(2014) , 10.1145/2554850.2554909
Xinwen Zhang, Guanhua Yan, Songqing Chen, Lei Liu, Chrome Extensions: Threat Analysis and Countermeasures. network and distributed system security symposium. ,(2012)
Roland B. Schkes Pavel Laskov, Bernhard H. Mmerli Robin Sommer, Klaus Julisch Christopher Kruegel, Detection of Intrusions and Malware, and Vulnerability Assessment ,(2008)