Browser Extension Compromise Caroline Sheng Outline — Introduction — Privileges and Permissions — Malware extensions — Security Threats — Human Factors — Problems — Where do we go from here? — What can you do? Introduction — What are browser extensions? — A piece of software

— What do they do? — Extend functionality of web browsers — Who can create them? — Basically anyone — Many popular extensions are written by third party developers

Extension Statistics — Popular examples: — AdBlock – 40 million users on Chrome — TamperMonkey – 10,000,000+ users — Google Mail Checker – 5,000,000+ users on Chrome Source: Chrome Web Store

— In 2011, 85% of Firefox users had at least one extension installed Privileges and Permissions — Privileges: how much access does the extension have to your browser

— Extensions often require high privileges, which can put users at risk Privileges and Permissions (cont.) — Until 2017, all Firefox extensions were allowed complete browser privileges — Allowed file system and network access

— Did not follow practice of least privilege: Restricting access to only the resources required to perform activities Permission Systems — Now, Firefox, Chrome, and Internet Explorer all have similar permission systems: — Developers: must define what privileges their extension requires — Users: are notified of what permissions an extension requires before installing it Permission Warning

— Tampermonkey: provides environment for users to write small scripts to modify browser behavior More privileges required

— Web Developer: Adds a toolbar to browser with web development tools “Read and change all your data on the websites you visit” — Sounds like dangerously high privilege — Actually is a required permission for many legitimate extensions — Some extensions have even broader permissions What’s wrong with this? — The nature of many browser extensions (both legitimate and not) requires them to have almost completely unrestrained access

— Once installed, extension code is fully trusted by browser, even though they are essentially third- party code — Offers an easy attack vector for those with malicious intent So what? — Some browser extensions have been downloaded by millions of users

— If a browser extension is compromised, all users may be affected A brief look at malware extensions What malicious extensions are capable of Malware Extensions — More common than we think: — An analysis by security researchers of 48,000 Chrome extensions in 2014 found — 130 outright malicious extensions — 4,712 suspicious extensions — The malicious extensions engaged in a variety of: — Affiliate fraud — Credential theft — Advertising fraud — Social network abuse

Malware Extensions (cont.) — Examples of malware extensions: — FormSpy – 2006 — Trojan which installed itself as a legitimate Firefox extension. — Intercepts password and credit card numbers entered into browser — Interface Online – 2017 — Bank fraud scam — Logged username and passwords entered into forms — Was available for two weeks before being taken down by Google Security Threats How are browser extensions compromised? Security Threats — Benign extensions hacked — Code Vulnerabilities — Social Engineering — Extensions bought, sold, and changed — Popular extension developers offered significant sums to sell their extension to suspicious parties Code Vulnerabilities — At DEFCON 2009, Liverani and Freeman demonstrated attacks against a number of popular Firefox extensions

— Many of the vulnerabilities found were among the OWASP Top 10

— Ex: “if a user dragged an image from a malicious web page into the extension, the web site operator could install a remote desktop server on the user’s machine and take control of the user’s mouse and keyboard” [2] Social Engineering — Example: August 2017, Web Developer extension updated to supply adware to users because the creator (Chris Pederick) fell for a phishing attack — One of the ads displayed by a fraudulently updated version of Web Developer extension for Chrome

Source: [6] Ars Technica Extension Ownership: Particle — In July 2017, Chrome extension Particle sold by original developer to another party, who promptly turned it into adware An extension update — Chrome’s permission system meant users were informed that a new update to Particle required new permissions it had never required before: — “Read and change data on (all) websites visited” — “Manage apps, extensions, and themes”

— However, many users still accepted the new update and were then bombarded by ads — New owner added code to inject ads such as Google, Bing, Amazon, eBay

Source: [4] BleepingComputer Lack of Transparency — A trusted extension introduced adware in a subsequent update

— Users were not notified of the change in ownership — Users believed extension was safe, and accepted the update. Allowing Particle the privileges it required to insert ads Human Factors: Developers — Extensions can be very simple to create, many treat it as a hobby

— Most extension developers are not security experts — Unaware of danger of vulnerable extensions Human Factors: Reviewers — Guidelines for accepting or rejecting extensions focus more on malicious extensions

— Vulnerable extensions very easily slip through the net Human Factors: Users — Users believe extensions are inherently safe — Often install extensions without checking

— Unaware that extensions are often created by third party developers Problems (Summary) — There is no standard secure framework for creating extensions

— Extensions are not evaluated for vulnerabilities before being released to the public

— Users have no way of defending themselves if a trusted extension they have installed is hacked

Where do we go from here? — In security research: — HULK: a dynamic analysis system presented at the USINEX 2014 Security Symposium — Detects malicious behavior in browser extensions by monitoring their execution and corresponding network activity — VEX: “a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to extension Javascript code” What can you do? — Developers: — Follow OWASP Top 10 guide — Be wary of allowing others access/control to your extension

— Users: — Carefully evaluate extensions before deciding to install or update them — Don’t install unnecessary extensions References

— [1] Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett. VEX: Vetting Browser Extensions For Security Vulnerabilities. Communications of the ACM, v.54 n.9, 2011.

— [2] Adam Barth, Adrienne Porter Felt, Prateek Saxena Aaron Boodman. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS Symposium 2010).

— [3] Martin Brinkmann. gHacks Technology News. Firefox’s new WebExtensions permission system. URL: https://www.ghacks.net/2017/03/06/firefoxs-new-webextensions-permission-system/

— [4] Catalin Cimpanu. BleepingComputer. URL: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev- who-immediately-turns-it-into-adware/

— [5] Chromium Blog: December 2013. URL: https://blog.chromium.org/2013/12/keeping-chrome-extensions-simple.html

— [6] Dan Goodin. Ars Technica. After phishing attacks, Chrome extensions push adware to millions. URL: https://arstechnica.com/information-technology/2017/08/after-phishing-attacks-chrome- extensions-push-adware-to-millions/ — [7] Dan Goodin. Ars Technica. Bank-fraud malware not detected by any AV hosted in Chrome web store. Twice. URL: https://arstechnica.com/information-technology/2017/08/bank-fraud-malware-not-detected- by-any-av-hosted-in-chrome-web-store-twice/

— [8] C. Grier, S. T. King, and D. S. Wallach. How I Learned to Stop Worrying and Love Plugins. In Web 2.0 Security and Privacy, 2009.

— [9[Alexandros Kapravelos, Chris Grier, Neha Chachra, Chris Kruegel, Giovanni Vigna, and Vern Paxson. Hulk: Eliciting malicious behavior in browser extensions. In Proceedings of the USENIX Security Symposium, 2014.

— [10] R. S. Liverani and N. Freeman. Abusing Firefox Extensions. DEFCON17, July 2009

— [11] Lee Matthews. Forbes. Over A Million Coders Targeted By Chrome Extension Hack. URL: https://www.forbes.com/sites/leemathews/2017/08/03/over-a-million-coders-targeted-by- chrome-extension-hack/#5d5d3c289c9d

— [12] Mozilla Add-ons Blog. June 2011. URL: https://blog.mozilla.org/addons/2011/06/21/firefox-4-add-on-users/

— [13] Particle Core. Particle. Github Repository. URL: https://github.com/ParticleCore/Particle/issues/528

— [14] Adrienne Porter Felt. Least Privilege for Browser Extensions. Master’s thesis. University of California, Berkeley