Analysis of Browser-Extensions
Browser extensions can extend the functionality of modern web browsers almost arbitrarily. However, they are often used for malicious activities, due to their ability to easily access sensitive data (i.e. Cookies). Likewise, benign but faulty extensions can be used for targeted attacks by exploiting errors in the implementation. Usually, the security mechanisms of modern browsers only provide limited protection against such attacks. Thus, the present study deals with dangers posed from benign browser extensions.
For this purpose, we developed an analysis framework, which automatically analyses browser extensions for potential weaknesses. Using the example of Google Chrome, we analysed 1000 extensions. The results show, that many benign extensions show errors in the implementation which allow attacker, under some circumstances, to gain control over browser extensions. The analysis also shows that many deployed security mechanisms concentrate on protection against malware. Users often have hardly any control over used functionality.
In the sense of responsive disclosure, we present the results statistically. This prevents to draw conclusions about weaknesses of concrete extensions. The present work is designed to help developers of browser extensions to avoid frequent errors and to support them in the implementation process.