An Evaluation of Extension Vulnerabilities of Google Chrome

Md. Mesbahul Islam Department of Computer Science University of helsinki Helsinki, Finland mesbahul.islam@helsinki.fi

ABSTRACT other honest website and tricks the user into confusing a dis- Browser extension is a third-party software module that honest website with that honest website. The user then can extends a browser’s functionality and enhances the brows- share sensitive and personal information with the attacker ing experience of users. As extension can directly interact which will consequently cause harms. On the other hand, with untrusted web contents, it’s becoming one of the most malware is installed into user’s machine, often without their common security vulnerable points and one of the primary consent, intended to harm computer or steal sensitive data choices for web attackers. In Firefox and IE, extensions and from computer. web scripts run under same browser process and extensions run with full user privileges which can result in exploiting Traditionally, browser extensions and the browser itself arbitrary code by malicious web operators. To mitigate ex- run in the same process heap such as in IE and Firefox. tension vulnerabilities, Google Chrome introduced a new ex- As both are running in the same process space, malicious tension model with features of privilege separation, isolated web contents can exploit buggy extensions in the browser world and least privilege in 2009. In this report I will sur- to steal sensitive data or cause serious harm to the under- vey the Chromium browser’s extension security model and lying operating system as the operating system share the present an evaluation of the security features against mali- same user privilege as the browser. Google Chrome came cious website operators and network attackers. up with security policies, strong isolation between websites and extensions, separation of privilege within an extension, and permission of extension system, in 2009 [1] to prevent Categories and Subject Descriptors extension vulnerabilities. Google Chrome’s extension made H.4 [Information Systems Applications]: Miscellaneous; from multi-component architecture which contains content D.4.6 [Security and Protection]: Subjects—Access con- script, core extension and optionally native binary. trols, Invasive software (e.g., viruses, Trojan horses) Google Chrome is built upon Chromium’s modular archi- General Terms tecture which has two modules: browser kernel and render- ing engine. The rendering engine is responsible for convert- Browser Security ing requests into rendered bitmap whereas browser kernel is responsible for interacting with underlying operating sys- Keywords tem. Both modules execute under separate process and the Browser extension, least privilege, isolated world, permis- rendering engine executes in a sandbox. sion. The paper is organized as follows. Section 2 describes attacks on extensions and threat model for Chrome exten- 1. INTRODUCTION sion model. Section 3 presents the Chrome extension archi- At first web browsers were basic means of surfing Internet tecture and its security model. Evaluation of the Chrome and web experience for people. Later browser extension was extension security model will be described in section 4. Fi- introduced which is, a small third-party software module, nally, concluding remarks will be presented in section 5. developed for enhancing browsing experience and expand- ing browser’s functionalities. All the time a secure browser is desirable to its users. Increasing popularity of the browser 2. ATTACKS ON EXTENSIONS extensions start attracting the attackers to make the exten- As browser extensions can interact directly with web con- sion as a security vulnerable vector and thus increase the tent, extensions are at risk of attacks while interacting with attack through browser extension. With this increasing at- untrusted web content. The risk comes from either malicious tacks, lots of effort was made to propose better secure ex- web operators or active network attackers [1]. The attacker tension model over the time. tries to corrupt the extension and uses its privileges to cause harm to the user. For example, an attacker can corrupt the A secure browser protects network, computer system or extension to achieve one of the following goals: data from threats such as phishing or malware, which could steal confidential data or make harm to the system. A • Persistent Malware. The attacker tries to install phishing attack happens when attacker masquerades as some malicious software on user’s machine so that the soft- ware can connects to the network, gets command over of browser extensions. It happens when the browser the network, and can initiate attacks on target ma- leaks a JavaScript pointer from one security region chine. to another. (if possible say something about secu- rity origin or SOP). Now, if an extension leaks one • Transient Key-logger. In this type of attack the of it’s JavaScript object, an attacker will access other user’s interaction with keyboard is monitored. The JavaScript objects as well as powerful APIs using this goal is to steal sensitive information like password, leaked object. It is said that this attack is more se- credit card number of users. vere than XSS attack [3] as JavaScript leaks affect all • File Theft. The attacker tries to read data from web sites including those sites which are free from XSS user’s file system. This type of attacker aims to steal attack. information like database server’s password, confiden- • Mixed Content. If a browser extension loads a script tial financial statements etc. This is actually an impor- over HTTP and runs it, a network attacker can replace tant security concern for enterprise users having large this script, as an active network attacker can control amount of secret information. content loaded via HTTP. In this way the attacker can • Phishing. Here the attacker controls a website which gain extension’s privileges and install malware. On the contains malware. Now the attacker masquerades and other hand, a similar but less powerful attack occurs tricks the user into confusing a dishonest website with when a HTTP script is injected into an HTTPS web an honest website. The user relies on the attacker and site by extension [1]. believes information which is shared with a trusted site. In this point the attacker gains privilege of user’s Google Chrome extension model focuses on non-malicious browser and exploits malicious code in user’s browser extensions those are vulnerable to external attacks. It con- to corrupt browser extension or read sensitive data siders two threat models: a web attacker and an active net- from browser. work attacker [1].

In Firefox, browser extensions have the full access to A web attacker controls a website which contains mali- browser internals and they run with the same privileges as cious content. When a user visits that website or a user is the browser has. So, if an attacker can infect the exten- convinced to visit that website then the attacker try to cor- sion, then it is possible to change the functionality of the rupt browser’s extensions by executing cross-site scripts. In browser, modify web sites’ behavior or even access to the this way, an attacker can gain the privilege of the extension file system. Previous study found that [1], only 3 of 25 pop- and can read sensitive browser data like bookmarks, history ular Firefox extensions required full system access whereas or even saved password of another website. remainder were over-privileged. This high level of privilege increased the severity of extension vulnerabilities. A network attacker aims to steal personal or sensitive in- formation (for example password, banking information, sen- In 2009 at DEFCON, Liverani and Freeman presented sitive financial documents) from an user’s machine. When attacks against popular Firefox extensions [9]. One of the people use insecure network like public Wi-fi or hot-spots attacks was against Skype (<=3.8.0.188) extension. If there in restaurant or coffee-shop, they can be attacked by the is any phone number in a web page, Skype browser exten- network attacker. In an insecure network, attacker can read sion rewrites that phone number into hyper-links and there and alter HTTP data to execute man-in-middle attacks. will be a green call button beside that link. If a user click on that button, Skype will launch and call that number. An attacker’s target is to corrupt extensions and acquire The vulnerable point is actually the calling function which privileges of extensions for causing further harm to the user. is responsible for Skype call and the function is available. Extensions are primarily written in JavaScript and HTML. So, an attacker can use JavaScript code in any web page to eval is a JavaScript function which can convert string into trigger the Skype Calling function which will launch Skype code. This function can be vulnerable to code injection at- automatically. It will also cause loosing credits if the calls tacks if it is used improperly into JavaScript. On the other are paid. There were four types of attack classes found [1] hand, Data can be executed in a HTML page if it is used against browser extensions. Some of them are described be- through document.write or document.body.innerHTML [4]. low with Firefox’s relevant mitigation methodology. Thus, the extension developers should be careful about im- plementing these methods so that untrusted data execution • Cross-site Scripting. Cross-site scripting (XSS) vul- through this methods can be avoided. nerabilities in browser extensions occur when exten- sions directly interact with untrusted web contents. If eval or document.write is used in an extension, it is 3. GOOGLE CHROME EXTENSIONS possible to inject malicious JavaScript code into ex- tension [9]. Firefox provides evalInSandbox API to Chrome uses Chromium architecture which has two mod- mitigate this type of vulnerability. This API uses for ules [2]: browser kernel and rendering engine which run in evaluating scripts and it runs without extension’s priv- two separate protection domain. Rendering engine inter- ilege. But this does not cover all types of interaction acts with web with restricted privilege under sandbox and with untrusted web contents. responsible for converting HTTP responses and user inputs into rendered bitmap. On the other hand, browser kernel in- • JavaScript Capability Leaks. JavaScript capabil- teracts with underlying operating system as a user. Figure ity leaks [3] are another kind of vulnerability point 1 shows a high level view of Chromium architecture where run in separate process. A core extension can only in- teract with web contents by invoking XmlHttpRequest or via content scripts. • A native binary is optionally included with an exten- sion which can interact directly with the host machine and run with full user privilege. In absence of a native binary, the core extension can interact with the host machine with full user privilege. Chrome extension architecture has multi-layer security as the components of an extension are separated by strong pro- cess boundary. As they run under sandboxed process, they cannot access all of the operating system’s services. More- over, the content scripts and the core extension can only communicate by passing message through a secure channel. If an attacker wants to gain the full privilege of user’s op- erating system then the attacker need to compromise the extension to send the malicious input from content script to core extension and then from core to native binary where the malicious input can exploits buggy code. But this is a very difficult process as the attacker needs to break through multiple security boundaries. 3.2 Chrome Extension’s Security Model To mitigate the extension vulnerabilities, Google Chrome followed three security mechanisms: least privilege, privilege separation, and strong isolation. In this section, we will describe and evaluate each of these mechanisms. Figure 1: The browser kernel treats the rendering Least Privilege engine as black box [2]. Chrome defines a set of permissions which includes accessing websites, executing scripts, and accessing different browser browser kernel treats the rendering engine as a black box [2]. modules like tabs, bookmarks, history, cookies etc. Accord- ing to the least privilege, each extension in Chrome browser Google Chrome’s extension model is multi-component ar- runs with a restricted set of permissions which require to chitecture model. It consists of content script, core exten- declare in a manifest.json file that comes packaged with sion and native binary. To prevent extension vulnerabili- the extension. Thus, an attacker, who compromises an ex- ties Chrome applies privilege separation between extension tension to exploit some buggy code, can only gain access to components, between content scripts and web contents and those permissions that the vulnerable extension already has. Chrome browser grants a restricted set of privileges. In the Consider the manifest file of Google Mail Checker [1, 5]: following sub-sections, I will present Chrome’s extension ar- "permissions":[ chitecture and corresponding security model [1, 8]. "alarms", "tabs", 3.1 The Extension Architecture "webNavigation", Chrome Extension’s Architecture was designed to miti- "http://*.google.com/", gate the vulnerabilities of benign but buggy extensions. A "https://*.google.com/" chrome extension is divided into multiple contents. Usually ] an extension includes content script and core extension. Fig- ure 2 is showing a basic architecture of Chrome extension. In this file we can see that Google Mail Checker needs permission for accessing sub-domain of google.com and the • A content script is written in JavaScript and can in- Tabs API. Attacker can’t access bank account because he teract directly with the web contents but run with less has no permission in such bank website. or no privilege. A content script is injected into a web site when the web page is loaded. The content Privilege Separation script is isolated from the associated web pages as their process run in different process heap but they share Moreover Chrome separates privileges among the compo- same underlying DOM (Document Object Model). Al- nents of an extension to make it difficult for the malicious though both the content script and websites access web contents to get access to the extension’s privileges. Usu- same DOM, they do not exchange variables or JavaScript ally an extension is made of content script and core exten- pointers. sion. Content scripts can interact directly with the web contents and run with no privilege. Content scripts cannot • The core extension can’t interact directly with the dirrectly access the browser modules but only can send a website contents and run with bulk of extension privi- JSON message postmessage via the core extension. On the leges. It includes one or more background pages which other hand, core extension can’t access directly or modify Figure 2: An Extension’s components, each with progrssively more privileges and less exposure to malicious web content [1, 4]. web contents but run with extension’s full privilege. A core to inject a content scripts to a website to access. If the extension can communicate with web contents through con- website does not belong to the extension’s origin then cross- tent scripts or invoking XmlHttpRequest. The native binary origin permission is also needed to access the website. Cross- can only interact with the core extension and has the full origin permissions are also defined in the manifest.json file user privilege to run arbitrary code or access any files. of the extension. To understand this level of isolation, con- sider following sample code [6]: Strong Isolation The chrome extension architecture uses multi-process archi- hello.html tecture and sandboxing technology for strong isolation. In ======Chrome, every website or web application opens in different tabs is correspond to a separate and independent process. click me So, if one tab crashes others will remain unaffected. The The chrome extension architecture uses three levels [1, 8] of isolation mechanism to isolate extension contents from Now, suppose this content script was injected into above each other and from web sites. First, Chrome follows the web page: same origin policy (SOP) to give access privileges to web sites. The origin of an extension is defined by including a var greeting = "hola, "; designated public key to the extension. By default, an exten- var button = document.getElementById("mybutton"); sion can access all resources of it’s own origin but need cross button.personName = "Roberto"; origin permission to access another origin’s resources. Ac- button.addEventListener("click", function() { cording to the extension security model an extension needs alert(greeting + button.personName + "."); Figure 3: Content Script and Isolated World [7].

}, false); a new security model of browser extension in 2009 [1] with Now, if button is pressed, there will be two greetings. We the security mechanisms of least privilege, privilege sepa- see that both are running in different JavaScript environ- ration, and permission. After that an evaluation had been ment. Please refer to Figure 3 for better understanding of done [4] on the extensions whether the mechanisms are suffi- isolated world. cient for protecting browser extensions from web attacks. It was found that Chrome extensions security architecture can Second, the components of an extension run in differ- mostly prevent web attacks but failed to prevent network ent process space and so they are isolated from each other. attacks. In this section I will present the evaluation of the When a content script injects in a web page, the script runs extensions security mechanisms. in the process space of the web sites. At the same time the core extension and the native binary run in their own pro- 4.1 Evaluation of Isolation Mechanism cesses. This mechanism is intended to protect content scripts from malicious web contents. In isolated world concept, the Finally, in the third level, the content scripts and web- content scripts and the web site Javascript run under dif- site’s scripts run in different JavaScript engine, which is ferent Javascript engine. So, they can’t access each other called isolated world. Content script is interesting features of functions or variables. This is also helps both to run differ- extension which can do useful things like download all image ent script version in their own process heap. from a web page or convert and unlink URL to link element by interacting with the DOM (Document Object Model) It is often seen that the extension developers are not secu- of a web page. A DOM represents a tree like structure of rity experts. So the developers face four security challenges a HTML page. The DOM is shared between the page’s [4] when writing extensions which are interacting with web JavaScripts and content scripts associated with the inter- contents. These are using data as HTML, using eval to ex- acting extension. Although both are sharing same DOM, ecute untrusted data, click injection, prototyping. they are isolated from each other and executes under dif- ferent process heap [7]. Since, the extensions have access Using Data as HTML. Inserting untrusted data as to privileged data and APIs, the isolated world mechanism HTML in web page in one of the strong developments mis- makes sure that the web page cannot use the DOM as a way takes because it allows the untrusted data to run as code. of accessing extensions as well as those privileged data and Isolated world mechanism helps to prevent this type of mis- APIs. takes. If data contains script which is inserted in a web page by content script, the script is executed in the web site’s pro- cess space instead of the extension’s. As a result, the content 4. EVALUATION OF EXTENSION’S SECU- script can read or modify of web site’s without creating any extension vulnerability. On the other hand, a content script RITY can read data from one web site and copy the data to an- To make browser more secure the Chrome team presented other web site which may introduce a security breach on the edited website but the extension is still unaffected because prevent it. of the isolated world mechanism. As mentioned earlier, that core extension can commu- Using eval. Another potential vulnerability can be in- nicate web contents by invoking XmlHttpRequest, so it is troduced by using eval to execute untrusted data. Eval is clear that core extensions are vulnerable to direct network very dangerous because it can execute any arbitrary data for attack. Direct network attacks are the largest core exten- example a script or expression. Consider a situation where sion vulnerabilities. Of the 50 core extension vulnerabilities, an extension reads data from a website containing malicious 44 vulnerabilities stem from HTTP scripts or HTTP Xml- code in that data and then the data is executed within con- HttpRequest [4, 8]. tent script by eval. Now, the resulting script will run in content script’s isolated world. So, in this situation isolated 4.3 Evaluation of Permission world does not mitigate the extension’s vulnerability due to The permission mechanism is intended to reduce the se- the use of eval. curity breaches of core extension. If an attacker compro- mises content scripts to run arbitrary code in core extension Click Injection. A click injection attack can be ini- then the permission mechanism helps to limit the severity tiated by a website by invoking an extension’s click event of damage. handler. Actually this website tricks the extension to in- voke the handler whereas this is not a user request at all. But the permission failed to protect core extension if the This situation can be happened when an extension registers extension comes packaged with important permissions. It some event handler for DOM elements from a website which was shown that[8], Chrome extensions pose serious threats, can be untrusted. The isolated world does not mitigate this including both information dispersion and harvesting due to attack at all. This type of attack does not run any buggy the request of serious permission. code instead it controls the content script’s behavior.

Finally the authors [4] stated that isolated world can pre- 5. CONCLUSION vent prototypes and capabilities attack as this mechanism provide heap separation. Now-a-days website attackers exploit malware in the browser extensions and it is increasing day by day. In this study, I have studied the security architecture of Google Chrome ex- 4.2 Evaluation of Privilege Separation tension model and presented an evaluation of the architec- The goal of the privilege separation mechanism is to pro- ture based on previous studies. It is shown that the isolated tect the core extension from attacks. The isolated world world mechanism is the most efficient to prevent the browser provides the first level security for core extension and the extensions from most of the malware attacks. This mecha- privilege separation comes into action when isolated world nism mitigates the vulnerability of content script. The privi- failed. That means privilege separation is very effective in lege separation mechanism is the second layer safety for core absence of isolated world. extension but it’s usefulness come to front when the isolated world failed to protect. Finally, permission is also an impor- An extension is usually made of content script and core tant feature for limiting malicious attack on user’s machine. extension where the core extension runs with most of the privileges. The core extension can not interact directly with It can be said that, the extension developers are not al- web contents. To do so core extension needs to communicate ways security experts. So, sometimes using of dangerous via content script or invokes XmlHttpRequest. The content code like inline scripts, innerHtml, eval etc. negate the scripts and core extension communicate through secure IPC benefit of the security mechanism. It is also stated that, channel. So, if an attacker wants to exploit malicious code in Chrome’s extension model is intended to prevent web at- core extension to gain the privilege, then the attacker need tackers rather than network attackers. There are no secu- to compromise content scripts to pass the code through mes- rity mechanism to protect core extension from direct net- sage channel which is difficult in chrome extension architec- work attack or website metadata attack. So, there is scope ture. of improving in the field of preventing network attacks. Fi- nally, 94% of the most serious attacks can be removed [4] by Now consider, the attacker wins to communicate with banning insecure coding practice like ban on HTTP scripts core extension and run arbitrary code, then attacker get ex- and inline scripts. tension’s privileges. But as an extension are issued only restricted set of permission so still now the attacker can’t get full user privilege. 6. REFERENCES It is an expectation of Chrome extension architecture [1] A. Barth, A. P. Felt, P. Saxena, and A. Boodman. that a malicious website first enter extension through con- Protecting browsers from extension vulnerabilities. In tent script, it can’t interact directly with core extension. In Network and Distributed System Security But it is possible to attack the core extension without going Symposium (NDSS). Internet Society, March 2012. through content scripts. Web site metadata is the way to [2] A. Barth, C. Jackson, C. Reis, and T. G. C. Team. access core extension directly as core extension can access The Security Architecture of the Chromium Browser. these information (i.e. history, bookmarks etc). If the meta- Technical Report, Google, 2008. data contains inline script then it can be a core extension [3] A. Barth, J. Weinberger, and D. Song. Cross-origin vulnerability. In this situation privilege separation does not javascript capability leaks: detection, exploitation, and defense. In Proceedings of the 18th conference on USENIX security symposium, pages 187–198, Berkeley, CA, USA, 2009. USENIX Association. [4] N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX conference on Security symposium (Security’12), pages 7–7. USENIX Association, 2012. [5] C. Developers. Google chrome sample extensions. http://developer.chrome.com/extensions/ samples.html/. [6] C. Developers. Google chrome sample extensions. http://developer.chrome.com/extensions/ content_scripts.html#execution-environment/. [7] G. Developers. Google chrome extensions: Content scripts and isolated worlds. http://www.youtube.com/ watch?v=laLudeUmXHM&feature=player_embedded/, 2009. [Online; accessed 07-December-2009]. [8] L. Liu, X. Zhang, G. Yan, and S. Chen. Chrome extensions: Threat analysis and countermeasures. In In Network and Distributed System Security Symposium (NDSS). Internet Society, February 2012. [9] R. S. Liverani and N. Freeman. Abusing firefox extensions. http://www.youtube.com/watch?v=Csv-8qHSnqQ/, July. [10] T. G. C. Team. Google chrome & security: Sandboxing. https://www.google.com/intl/en/ chrome/browser/features.html#security/, 2010. [Online; accessed 15-December-2010].