After you, please: browser extensions order attacks and countermeasures

Picazo Sánchez, Pablo; Estévez Tapiador, Juan Manuel; Schneider, Gerardo

Publication:
After you, please: browser extensions order attacks and countermeasures

dc.affiliation.dpto	UC3M. Departamento de Informática	es
dc.affiliation.grupoinv	UC3M. Grupo de Investigación: COSEC (Computer SECurity Lab)	es
dc.contributor.author	Picazo Sánchez, Pablo
dc.contributor.author	Estévez Tapiador, Juan Manuel
dc.contributor.author	Schneider, Gerardo
dc.contributor.funder	Comunidad de Madrid	es
dc.contributor.funder	European Commission	en
dc.contributor.funder	Ministerio de Economía y Competitividad (España)	es
dc.date.accessioned	2021-12-09T15:25:35Z
dc.date.available	2021-12-09T15:25:35Z
dc.date.issued	2020-12-01
dc.description.abstract	Browser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, Chrome's official extension repository has more than 63,000 extensions, with some of them having more than 10M users. When installed, extensions are pushed into an internal queue within the browser. The order in which each extension executes depends on a number of factors, including their relative installation times. In this paper, we demonstrate how this order can be exploited by an unprivileged malicious extension (i.e., one with no more permissions than those already assigned when accessing web content) to get access to any private information that other extensions have previously introduced. We propose a solution that does not require modifying the core browser engine, since it is implemented as another browser extension. We prove that our approach effectively protects the user against usual attackers (i.e., any other installed extension) as well as against strong attackers having access to the effects of all installed extensions (i.e., knowing who did what). We also prove soundness and robustness of our approach under reasonable assumptions.	en
dc.description.sponsorship	This work was partially supported by the Swedish Research Council (Vetenskapsrådet) through the Grant PolUser (2015-04154), the Swedish funding agency SSF under the Grant Data Driven Secure Business Intelligence, the Spanish Government through MINECO Grant SMOG-DEV (TIN2016-79095-C2-2-R) and by the Comunidad de Madrid under the Grant CYNAMON (P2018/TCS-4566), co-financed by European Structural Funds (ESF and FEDER)	en
dc.identifier.bibliographicCitation	Picazo-Sanchez, P., Tapiador, J. & Schneider, G. After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Secur. 19, 623–638 (2020). https://doi.org/10.1007/s10207-019-00481-8	e
dc.identifier.doi	https://doi.org/10.1007/s10207-019-00481-8
dc.identifier.issn	1615-5262
dc.identifier.publicationfirstpage	623
dc.identifier.publicationlastpage	638
dc.identifier.publicationtitle	International Journal of Information Security	en
dc.identifier.publicationvolume	19
dc.identifier.uri	https://hdl.handle.net/10016/33729
dc.identifier.uxxi	AR/0000025985
dc.language.iso	eng	en
dc.publisher	Springer	en
dc.relation.projectID	Gobierno de España. TIN2016-79095-C2-2-R	es
dc.relation.projectID	Comunidad de Madrid. P2018/TCS-4566-CM	es
dc.rights	© The Author(s) 2019	en
dc.rights	Atribución 3.0 España
dc.rights.accessRights	open access	en
dc.rights.uri	http://creativecommons.org/licenses/by/3.0/es/	en
dc.subject.eciencia	Informática	es
dc.subject.other	web security	en
dc.subject.other	privacy	en
dc.subject.other	browser extensions	en
dc.subject.other	malware	en
dc.subject.other	chrome	en
dc.title	After you, please: browser extensions order attacks and countermeasures	en
dc.type	research article	*
dc.type.hasVersion	VoR	*
dspace.entity.type	Publication