Discovering Browser Extensions via Web Accessible Resources
by Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld.
DOI, short version PDF, full version PDF
This paper was published and presented at CODASPY 2017.
Browser extensions provide a powerful platform to enrich browsing experience.
At the same time, they raise important security questions. From the point of
view of a website, some browser extensions are invasive, removing intended
features and adding unintended ones, e.g. extensions that hijack Facebook
likes. Conversely, from the point of view of extensions, some websites are
invasive, e.g. websites that bypass ad blockers. Motivated by security goals
at clash, this paper explores browser extension discovery, through a
non-behavioral technique, based on detecting extensions' web accessible
resources. We report on an empirical study with free Chrome and Firefox
extensions, being able to detect over 50% of the top 1,000 free Chrome
extensions, including popular security- and privacy-critical extensions such as
AdBlock, LastPass, Avast Online Security, and Ghostery. We also conduct an
empirical study of non-behavioral extension detection on the Alexa top 100,000
websites. We present the dual measures of making extension detection easier in
the interest of websites and making extension detection more difficult in the
interest of extensions. Finally, we discuss a browser architecture that allows
a user to take control in arbitrating the conflicting security goals.
Source code for crawler can be given upon request.