Root causes for attack success
Improper Application of Security Principles.
The success of our attack can be largely attributed to the improper application of fundamental security principles within the current design of web browsers and extensions. One of the key issues lies in the coarse-grained permission model at the HTML level. Once an extension is allowed to run on a page, it has unrestricted access to all elements. This unrestricted access is in direct violation of the Principle of Least Privilege, a fundamental security principle that advocates for limiting the permissions granted to a process to only those that are necessary for its function. This unrestricted access also undermines the principle of Complete Mediation, which requires that every access to a resource be checked for appropriate permissions. In the current model, once an extension has been granted access to a page, subsequent accesses to elements on the page are not checked, allowing the extension to interact with all elements on the page freely. These violations of fundamental security principles create an environment where sensitive data is vulnerable to unauthorized access and manipulation, highlighting the need for a more secure design that adheres to these principle
Trade-off Between Usability and Security.
In security systems, there is often a trade-off between usability and security. This trade-off is clearly evident in the current security landscape of web browsers and extensions. Websites often rely on browsers to provide the necessary security protections, placing trust in the browser’s ability to safeguard sensitive data. However, this trust can lead to vulnerabilities if the browser’s protections are insufficient or can be circumvented by malicious extensions. An example of this trade-off can be seen in password managers. While they aim to improve convenience by storing and automatically filling passwords, they require access to password fields, which can compromise security measures. This creates a challenge in balancing between implementing strict security measures and ensuring the smooth operation of password managers. Interestingly, we observed that many websites attempt to obfuscate Social Security Numbers (SSNs) but not passwords. This suggests a recognition of the need for protection of sensitive data, but an inconsistent application of it. The decision to obfuscate SSNs but not passwords may be driven by a desire to balance usability and security, but it also highlights the complexities and potential pitfalls of this trade-off.
Websites’ Bad Practices.
Our case studies revealed a range of security practices across different websites, with some leaving sensitive input fields unprotected or implementing only minimal protections. The reasons for these practices are not always clear, but they contribute to the overall vulnerability of these input fields. Even obfuscation, while better than leaving sensitive data in plain sight, is insufficient to fully secure these fields.
Flaws in Online Review Process of Extensions.
Lastly, the online review process for extensions, particularly those with dynamically loaded selectors, has significant flaws. These flaws can allow malicious extensions to pass through the review process undetected, providing them with a platform to launch attacks. It’s important to note that this is different from code injection, as the malicious code is part of the extension itself, not injected into the webpage. These factors combine to create a landscape where sensitive input fields are vulnerable to attack. In Section 5 and Section 6, we measure the practicality and prevalence of this vulnerability on real websites by conducting large-scale measurements (Section 5) and case studies (Section 6).
