An Evaluation of Extension Vulnerabilities of Google Chrome Md. Mesbahul Islam Department of Computer Science University of helsinki Helsinki, Finland mesbahul.islam@helsinki.fi ABSTRACT other honest website and tricks the user into confusing a dis- Browser extension is a third-party software module that honest website with that honest website. The user then can extends a browser's functionality and enhances the brows- share sensitive and personal information with the attacker ing experience of users. As extension can directly interact which will consequently cause harms. On the other hand, with untrusted web contents, it's becoming one of the most malware is installed into user's machine, often without their common security vulnerable points and one of the primary consent, intended to harm computer or steal sensitive data choices for web attackers. In Firefox and IE, extensions and from computer. web scripts run under same browser process and extensions run with full user privileges which can result in exploiting Traditionally, browser extensions and the browser itself arbitrary code by malicious web operators. To mitigate ex- run in the same process heap such as in IE and Firefox. tension vulnerabilities, Google Chrome introduced a new ex- As both are running in the same process space, malicious tension model with features of privilege separation, isolated web contents can exploit buggy extensions in the browser world and least privilege in 2009. In this report I will sur- to steal sensitive data or cause serious harm to the under- vey the Chromium browser's extension security model and lying operating system as the operating system share the present an evaluation of the security features against mali- same user privilege as the browser. Google Chrome came cious website operators and network attackers. up with security policies, strong isolation between websites and extensions, separation of privilege within an extension, and permission of extension system, in 2009 [1] to prevent Categories and Subject Descriptors extension vulnerabilities. Google Chrome's extension made H.4 [Information Systems Applications]: Miscellaneous; from multi-component architecture which contains content D.4.6 [Security and Protection]: Subjects|Access con- script, core extension and optionally native binary. trols, Invasive software (e.g., viruses, Trojan horses) Google Chrome is built upon Chromium's modular archi- General Terms tecture which has two modules: browser kernel and render- ing engine. The rendering engine is responsible for convert- Browser Security ing requests into rendered bitmap whereas browser kernel is responsible for interacting with underlying operating sys- Keywords tem. Both modules execute under separate process and the Browser extension, least privilege, isolated world, permis- rendering engine executes in a sandbox. sion. The paper is organized as follows. Section 2 describes attacks on extensions and threat model for Chrome exten- 1. INTRODUCTION sion model. Section 3 presents the Chrome extension archi- At first web browsers were basic means of surfing Internet tecture and its security model. Evaluation of the Chrome and web experience for people. Later browser extension was extension security model will be described in section 4. Fi- introduced which is, a small third-party software module, nally, concluding remarks will be presented in section 5. developed for enhancing browsing experience and expand- ing browser's functionalities. All the time a secure browser is desirable to its users. Increasing popularity of the browser 2. ATTACKS ON EXTENSIONS extensions start attracting the attackers to make the exten- As browser extensions can interact directly with web con- sion as a security vulnerable vector and thus increase the tent, extensions are at risk of attacks while interacting with attack through browser extension. With this increasing at- untrusted web content. The risk comes from either malicious tacks, lots of effort was made to propose better secure ex- web operators or active network attackers [1]. The attacker tension model over the time. tries to corrupt the extension and uses its privileges to cause harm to the user. For example, an attacker can corrupt the A secure browser protects network, computer system or extension to achieve one of the following goals: data from threats such as phishing or malware, which could steal confidential data or make harm to the system. A • Persistent Malware. The attacker tries to install phishing attack happens when attacker masquerades as some malicious software on user's machine so that the soft- ware can connects to the network, gets command over of browser extensions. It happens when the browser the network, and can initiate attacks on target ma- leaks a JavaScript pointer from one security region chine. to another. (if possible say something about secu- rity origin or SOP). Now, if an extension leaks one • Transient Key-logger. In this type of attack the of it's JavaScript object, an attacker will access other user's interaction with keyboard is monitored. The JavaScript objects as well as powerful APIs using this goal is to steal sensitive information like password, leaked object. It is said that this attack is more se- credit card number of users. vere than XSS attack [3] as JavaScript leaks affect all • File Theft. The attacker tries to read data from web sites including those sites which are free from XSS user's file system. This type of attacker aims to steal attack. information like database server's password, confiden- • Mixed Content. If a browser extension loads a script tial financial statements etc. This is actually an impor- over HTTP and runs it, a network attacker can replace tant security concern for enterprise users having large this script, as an active network attacker can control amount of secret information. content loaded via HTTP. In this way the attacker can • Phishing. Here the attacker controls a website which gain extension's privileges and install malware. On the contains malware. Now the attacker masquerades and other hand, a similar but less powerful attack occurs tricks the user into confusing a dishonest website with when a HTTP script is injected into an HTTPS web an honest website. The user relies on the attacker and site by extension [1]. believes information which is shared with a trusted site. In this point the attacker gains privilege of user's Google Chrome extension model focuses on non-malicious browser and exploits malicious code in user's browser extensions those are vulnerable to external attacks. It con- to corrupt browser extension or read sensitive data siders two threat models: a web attacker and an active net- from browser. work attacker [1]. In Firefox, browser extensions have the full access to A web attacker controls a website which contains mali- browser internals and they run with the same privileges as cious content. When a user visits that website or a user is the browser has. So, if an attacker can infect the exten- convinced to visit that website then the attacker try to cor- sion, then it is possible to change the functionality of the rupt browser's extensions by executing cross-site scripts. In browser, modify web sites' behavior or even access to the this way, an attacker can gain the privilege of the extension file system. Previous study found that [1], only 3 of 25 pop- and can read sensitive browser data like bookmarks, history ular Firefox extensions required full system access whereas or even saved password of another website. remainder were over-privileged. This high level of privilege increased the severity of extension vulnerabilities. A network attacker aims to steal personal or sensitive in- formation (for example password, banking information, sen- In 2009 at DEFCON, Liverani and Freeman presented sitive financial documents) from an user's machine. When attacks against popular Firefox extensions [9]. One of the people use insecure network like public Wi-fi or hot-spots attacks was against Skype (<=3.8.0.188) extension. If there in restaurant or coffee-shop, they can be attacked by the is any phone number in a web page, Skype browser exten- network attacker. In an insecure network, attacker can read sion rewrites that phone number into hyper-links and there and alter HTTP data to execute man-in-middle attacks. will be a green call button beside that link. If a user click on that button, Skype will launch and call that number. An attacker's target is to corrupt extensions and acquire The vulnerable point is actually the calling function which privileges of extensions for causing further harm to the user. is responsible for Skype call and the function is available. Extensions are primarily written in JavaScript and HTML. So, an attacker can use JavaScript code in any web page to eval is a JavaScript function which can convert string into trigger the Skype Calling function which will launch Skype code. This function can be vulnerable to code injection at- automatically. It will also cause loosing credits if the calls tacks if it is used improperly into JavaScript. On the other are paid. There were four types of attack classes found [1] hand, Data can be executed in a HTML page if it is used against browser extensions. Some of them are described be- through document.write or document.body.innerHTML [4]. low with Firefox's relevant mitigation methodology. Thus, the extension developers should be careful about im- plementing these methods so that untrusted data execution • Cross-site Scripting. Cross-site scripting (XSS) vul- through this methods can be avoided. nerabilities in browser extensions occur when exten- sions directly interact with untrusted web contents. If eval or document.write is used in an extension, it is 3. GOOGLE CHROME EXTENSIONS possible to inject malicious JavaScript code into ex- tension [9]. Firefox provides evalInSandbox API to Chrome uses Chromium architecture which has two mod- mitigate this type of vulnerability.