Do software "extensions" open the door to attack?

“Firefox extensions run with full browser privileges, so attackers can potentially exploit extension weaknesses to take over the browser, steal cookies or protected passwords, compromise confidential information, or even hijack the host system, without revealing their actions to the user,” says Sruthi Bandhakavi, a PhD student in computer science.

In a research paper entitled “VEX: Vetting Browser Extensions For Security Vulnerabilities,” Bandhakavi--who is co-advised by Marianne Winslett and P. Madhusudan and helped by Sam T. King--outlines how subtle vulnerabilities in browser extensions could lead to disastrous attacks. The work won the best paper award at the 19th USENIX Security Symposium held at Washington D.C., an event that brings researchers, programmers, and others interested in the latest security advancements together.

 What do we have to worry about?

All four of today’s most popular web browsers - Internet Explorer, Firefox, Safari, and Chrome - support extensions, pieces of software from third parties that function inside of a browser and add functionality. Since these extensions are usually promoted through online marketplaces for each browser, they are extremely easy to find and install. Because they are are often advertised by and downloaded from the websites of trustworthy companies like Google and Mozilla, users inherently trust the extensions themselves.

Currently, extensions are vetted, or examined, for security vulnerabilities manually. In her paper, Bandhakavi’s paper presents VEX, “a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions.” In short, this program will leave less room for human error when analyzing extensions for potentially dangerous pathways within the browser.

This framework has already scanned thousands of extensions and uncovered six exploitable vulnerabilities (three of which were previously unknown) and hundreds of examples of bad programming practices that may lead to security vulnerabilities. For example, it found that versions 0.5.7 and 0.5.9 of Wikipedia Toolbar can allow malicious JavaScript code to be run at root level within Firefox, giving the code access to pretty much anything it would ask for. Furthermore, her work has also uncovered some bad programming practices put in to place by extension developers who simply may not know that their code is vulnerable because not everyone is a security expert. These practices were found in hundreds of extensions and can be the first step to a major vulnerability.

“The main target of this work is the extension editors (people who vet extensions before they are made public), who could use this tool to analyze thousands of extensions simultaneously,” claims Bandhakavi. The people controlling the extension marketplaces (Google, Apple, etc) often don’t have the tools to extensively test these extensions adds Parthasarathy. Put that together and it’s easy to see that the the aim of their framework is to “help [these companies] find the vulnerabilities before they affect the populace at large” by making it easier and faster to do so. That said, Bandhakavi hopes her work can also help to educate extensions developers in understanding ways their code could be compromised.

While her program only works on Firefox extensions currently, Bandhakavi plans to modify it to also analyze Chrome extensions next.
__________________

Contact: Jennifer LaMontagne, associate director of communications, Department of Computer Science, 217/333-4049.

Writer: Josh Holat, Department of Computer Science.

If you have any questions about the College of Engineering, or other story ideas, contact Rick Kubetz, Engineering Communications Office, 217/244-7716, editor.