Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

Exploiting extensions capabilities via message passing APIs

January 18, 2019
9:30 am - 11:00 am
S&P Meeting Room

On Friday we will receive the visit of Dr. Dolière Francis Somé who is applying for a Postdoc position in our group. Dolière will give a talk on his work about the security of browser extensions that has recently been accepted at IEEE S&P. You are all welcome to attend!

Where: S&P meeting room (Favoritenstrasse 9-11, 1st floor, room HB 0108)
When: 09:30

Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, cookies and list of installed extensions.
For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.
In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions’ APIS, web applications can bypass SOP, access user cookies, browsing history, etc. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.

Short Bio
Dolière Francis Somé obtained his PhD in Computer Science in October 2018 at the University Côte d’Azur (Nice, France) under the supervision of Tamara Rezk and Nataliia Bielova, both researchers at Inria. During his studies, Dolière studied how the interactions of the Content Security Policy (CSP) with other existing security mechanisms enforced by browsers can unexpectedly weaken CSP. He also developed a static analysis technique to detect security threats in browser extensions, which is the topic of this talk. Currently Dolière is working as a postdoc at Inria on IoT security.