Websites can steal browser data via extensions APIs

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Content source
https://www.zdnet.com/article/websites-can-steal-browser-data-via-extensions-apis/
Researcher finds nearly 200 Chrome, Firefox, and Opera extensions vulnerable to attacks from malicious sites.

Malicious websites can exploit browser extension APIs to execute code inside the browser and steal sensitive information such as bookmarks, browsing history, and even user cookies.

The latter, an attacker can use to hijack a user's active login sessions and access sensitive accounts, such as email inboxes, social media profiles, or work-related accounts.

Furthermore, the same extension APIs can also be abused to trigger the download of malicious files and store them on the user device, and store and retrieve data in an extension's permanent storage, data that can later be used to track users across the web.

These types of attacks are not theoretical but have been proven in an academic paper published this month by Dolière Francis Somé, a researcher with the Université Côte d'Azur and with INRIA, a French researcher institute.

Somé created a tool and tested over 78,000 Chrome, Firefox, and Opera extensions. Through his efforts, he was able to identify 197 extensions that exposed internal extension API communication interfaces to web applications, allowing malicious websites a direct avenue to the data stored inside a user's browser, data that under normal circumstances only the extension's own code could have reached (when the proper permissions were obtained).
Click to expand...
More details about Somé's work are available in a research paper entitled "EmPoWeb: Empowering Web Applications with Browser Extensions," available for download in a PDF format from here or here.
It would be highly impractical to list all the vulnerable extensions in this article. Readers can find the list of vulnerable extensions in tables at the end of the above-linked research papers.
Click to expand...
 
  • Like
Reactions: Daviworld, g4nu5, Andy Ful and 18 others
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I must say the angle this study chooses is nice, easy breaches are the one from which the defender did not think it would/be breached (hence did not expect or foresee an attack from that angle). So look for person/process/system/object who/which has acces from insight (an extension), next find a 'normal' way to get access to that the object with a access from within (API). Because errors are human and software is made by humans, there are always methods to get control of the flow of events (program errors/lousy programming practices/program language and compiler weaknesses).

Somé's study EmpoWeb said:
Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application
Click to expand...

1547926014142.png
 
  • Like
Reactions: Weebarra, bribon77, HarborFront and 6 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
Somé said he notified the browser vendors about his findings before going public with his work in early January.

"All vendors acknowledged the issues," Somé said. "Firefox has removed all the reported extensions. Opera has also removed all the extensions but 2 which can be exploited to trigger downloads."

"Chrome also acknowledged the problem in the reported extensions. We are still discussing with them on potential actions to take: either remove or fix the extensions," he said.
Click to expand...
The response form Firefox and Opera is great, but Google :(
Come on Google get your act together and make your stores a safe place they were intended to be!
Maybe you can put some people from project zero on it.
Why study other peoples software for zero days when you do so poor on your own security.
 
  • Like
Reactions: Weebarra, bribon77, HarborFront and 10 others
zzz00m

zzz00m

Level 6
Verified
Well-known
Jun 10, 2017
248
I have always followed the advice to run a minimum of browser extensions. For various reasons. The only ones installed now relate to privacy and security.

Seems like good advice now, especially based on this recent news!
 
  • Like
Reactions: silversurfer and Weebarra
You must log in or register to reply here.

Similar threads

ZeroStrawberries
    • +Reputation
    • Like
    • Wow
Chrome extensions can steal plaintext passwords from websites
Replies
4
Views
2,587
News Archive
golongtime
G
Gandalf_The_Grey
    • Like
Why browser extension games need access to all websites
Replies
1
Views
837
News Archive
MuzzMelbourne
MuzzMelbourne
silversurfer
    • +Reputation
    • Like
New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3
Replies
1
Views
988
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top