the evil friend in your browser - global appsec evil friend... · as they also can communicate with...
TRANSCRIPT
![Page 1: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/1.jpg)
The Evil Friend in Your Browser
Achim D. Brucker and Michael Herzberg{a.brucker, msherzberg1}@sheffield.ac.uk
Software Assurance & Security ResearchDepartment of Computer Science, The University of Sheffield, Sheffield, UKhttps://logicalhacking.com/May 12, 2017
![Page 2: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/2.jpg)
The Evil Friend in Your BrowserAbstract
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additionalfunctionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extensioncan read and modify both the content displayed in the browser. As they also can communicate with any web-site orweb-service, they can report both data and metadata to external parties.The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs ofbrowser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.We present results of analysing over 2500 browser extensions on how they use the current security model and discuss examplesof extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well asour own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.
![Page 3: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/3.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 4: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/4.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 5: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/5.jpg)
Browsers are the new operating systems
![Page 6: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/6.jpg)
Browsers are the new operating systems
![Page 7: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/7.jpg)
Browsers are the new operating systems
![Page 8: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/8.jpg)
Browsers are the new operating systems
![Page 9: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/9.jpg)
Browsers are the new operating systems
![Page 10: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/10.jpg)
Browsers are the new operating systems
![Page 11: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/11.jpg)
Browsers are the new operating systems
![Page 12: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/12.jpg)
Protecting Web Users
HttpOnlySame-origin policyContent Security Policy (CSP). . .
![Page 13: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/13.jpg)
Security of web browsersThe major browser vendors
take security seriouslyinvesting a lot in making web browserssecure and trustworthy
We have a good basis for secure web applications
,until we add extensions:
can extend/modify the browseranybody can write/offer themmight tear down the defence from inside
![Page 14: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/14.jpg)
Security of web browsersThe major browser vendors
take security seriouslyinvesting a lot in making web browserssecure and trustworthy
We have a good basis for secure web applications
,until we add extensions:
can extend/modify the browseranybody can write/offer themmight tear down the defence from inside
![Page 15: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/15.jpg)
Security of web browsersThe major browser vendors
take security seriouslyinvesting a lot in making web browserssecure and trustworthy
We have a good basis for secure web applications,until we add extensions:
can extend/modify the browseranybody can write/offer them
might tear down the defence from inside
![Page 16: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/16.jpg)
Security of web browsersThe major browser vendors
take security seriouslyinvesting a lot in making web browserssecure and trustworthy
We have a good basis for secure web applications,until we add extensions:
can extend/modify the browseranybody can write/offer themmight tear down the defence from inside
![Page 17: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/17.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 18: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/18.jpg)
Browser extensionsAdd-ons extending your browserGoogle says:
small software programslittle to no user interface
What we find:
complex and large programssophisticated user interfaces
What extension can do:modify the user interface(how your browser behaves)modify web pages(what you see)modify web request(what you enter)
![Page 19: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/19.jpg)
Browser extensionsAdd-ons extending your browserGoogle says:
small software programslittle to no user interface
What we find:
complex and large programssophisticated user interfaces
What extension can do:modify the user interface(how your browser behaves)modify web pages(what you see)modify web request(what you enter)
![Page 20: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/20.jpg)
Browser extensionsAdd-ons extending your browserGoogle says:
small software programslittle to no user interface
What we find:complex and large programssophisticated user interfaces
What extension can do:modify the user interface(how your browser behaves)modify web pages(what you see)modify web request(what you enter)
![Page 21: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/21.jpg)
Browser extensionsAdd-ons extending your browserGoogle says:
small software programslittle to no user interface
What we find:complex and large programssophisticated user interfaces
What extension can do:modify the user interface(how your browser behaves)modify web pages(what you see)modify web request(what you enter)
![Page 22: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/22.jpg)
Let’s search for a simple calculator
![Page 23: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/23.jpg)
Let’s search for a simple calculator
![Page 24: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/24.jpg)
Let’s search for a simple calculator
![Page 25: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/25.jpg)
Let’s search for a simple calculator
![Page 26: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/26.jpg)
Let’s search for a simple calculator
![Page 27: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/27.jpg)
Let’s search for a simple calculator
![Page 28: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/28.jpg)
Malicious extensions are a real threat to users (1/2)
https://www.bleepingcomputer.com/news/security/adware-replaces-phone-numbers-for-security-firms-returned-in-search-results/
![Page 29: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/29.jpg)
Malicious extensions are a real threat to users (1/2)
https://www.bleepingcomputer.com/news/security/adware-replaces-phone-numbers-for-security-firms-returned-in-search-results/
![Page 30: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/30.jpg)
Malicious extensions are a real threat to users (2/2)
Web of Trust (WoT) logged all web requests
and sold the data to third partiesA German TV station bought the data“de-anonymized” itand found critical data, e.g.:
tax declaration of a member of the Germanparliamentdetails about international search warrants. . .
![Page 31: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/31.jpg)
Malicious extensions are a real threat to users (2/2)
Web of Trust (WoT) logged all web requestsand sold the data to third parties
A German TV station bought the data“de-anonymized” itand found critical data, e.g.:
tax declaration of a member of the Germanparliamentdetails about international search warrants. . .
![Page 32: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/32.jpg)
Malicious extensions are a real threat to users (2/2)
Web of Trust (WoT) logged all web requestsand sold the data to third partiesA German TV station bought the data
“de-anonymized” itand found critical data, e.g.:
tax declaration of a member of the Germanparliamentdetails about international search warrants. . .
![Page 33: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/33.jpg)
Malicious extensions are a real threat to users (2/2)
Web of Trust (WoT) logged all web requestsand sold the data to third partiesA German TV station bought the data“de-anonymized” it
and found critical data, e.g.:tax declaration of a member of the Germanparliamentdetails about international search warrants. . .
![Page 34: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/34.jpg)
Malicious extensions are a real threat to users (2/2)
Web of Trust (WoT) logged all web requestsand sold the data to third partiesA German TV station bought the data“de-anonymized” itand found critical data, e.g.:
tax declaration of a member of the Germanparliamentdetails about international search warrants. . .
![Page 35: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/35.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 36: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/36.jpg)
The architecture of browser extensions
Web Browser
Tab
Extension
SiteScripts
DOM(Origin A)
ContentScripts
SiteScripts
DOM(Origin C)
ContentScripts
iframeiframe
SiteScripts
DOM(Origin B)
postMessage
popup.html+ Scripts
background.html+ Scripts
- Permissions- CSP
Operating SystemNative App
Filesystem USB Camera
postMessage(externally_connectable)postMessage
sendNativeMessage(Allowed Plugin)
HTML5 API
{"update_url": "https :// clients2.google.com/service/update2/crx","name": "Test␣Extension","version": "0.1","manifest_version": 2,"description": "This␣is␣a␣harmless␣extension ...","permissions": [
"tabs", "<all_urls >", "webRequest"],"content_scripts": [
{"all_frames": true ,"js": ["content_script.js"],"matches": ["<all_urls >"],"run_at": "document_start"
}],"background": {
"scripts": ["background.js"]}
}
![Page 37: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/37.jpg)
Security mechanism: PermissionsBackground ScriptsTwo-dimensional permission system:
functional permissions: tabs, bookmarks,webRequest, desktopCapture, ...host permissions: https://*.google.com,http://www.facebook.com,but also <all_urls> and https://*/*
Host permissions restrict effect of some functionalpermissions
Content ScriptsBlack and white: either injecting script, or not
![Page 38: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/38.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 39: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/39.jpg)
Chrome Web StoreMain way of distributing extensionsWe monitored 115k extensions over 3 monthsWide variety of categories:
productivity 29.29%fun 11.65%communication 10.24%web_development 9.15%games 7.52%accessibility 7.22%
![Page 40: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/40.jpg)
Extensions are big ...
<10kB 10kB - 100kB 100kB - 1MB 1MB - 10MB >10MBExtension Size
0
5000
10000
15000
20000
25000
# Ex
tens
ions
<100 100 - 1000 1000 - 10k 10k - 100k >100kJavaScript LoC
0
5000
10000
15000
20000
25000
30000
35000
# Ex
tens
ions
![Page 41: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/41.jpg)
... and old
0 1 2 - 5 5 - 10 >10# of updates in 3 months
0
20000
40000
60000
80000
100000
# Ex
tens
ions
15% use old jQuery version! (1.x or 2.x)
![Page 42: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/42.jpg)
Case one: Read all your history
Permission: tabs or <all_urls>, or content scripton all sitesNeeded for many simple extensionsCan monitor your complete history, incl. full urls
34% of 115.000 extensionstotal downloads: 715m
![Page 43: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/43.jpg)
Case one: Read all your history
Permission: tabs or <all_urls>, or content scripton all sitesNeeded for many simple extensionsCan monitor your complete history, incl. full urls34% of 115.000 extensionstotal downloads: 715m
![Page 44: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/44.jpg)
Case two: Read and write all data on your websites
Permission: <all_urls>, or content script on allsitesMinimum level of permissions for manyextensionsGives full access to the web site
21% of 115.000 extensionstotal downloads: 615m
![Page 45: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/45.jpg)
Case two: Read and write all data on your websites
Permission: <all_urls>, or content script on allsitesMinimum level of permissions for manyextensionsGives full access to the web site21% of 115.000 extensionstotal downloads: 615m
![Page 46: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/46.jpg)
Case three: Circumvent security measures
Permission: <all_urls> and webRequestCan intercept and change all HTTP headers!Disable Content-Security-Policy, Same-originPolicy, etc.Breaks security guarantees of web browsers!
6% of 115.000 extensionstotal downloads: 325m
![Page 47: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/47.jpg)
Case three: Circumvent security measures
Permission: <all_urls> and webRequestCan intercept and change all HTTP headers!Disable Content-Security-Policy, Same-originPolicy, etc.Breaks security guarantees of web browsers!6% of 115.000 extensionstotal downloads: 325m
![Page 48: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/48.jpg)
It’s that easy...
![Page 49: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/49.jpg)
Outline1 Motivation2 What are extensions: user perspective3 What are extensions: developer perspective4 Little shop of horrors5 Outlook
![Page 50: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/50.jpg)
How can we make web browsing great* again?
Integrity:content modificationslayout modifications
Confidentiality:data storagetransmitted data
Privacy:access to sensorspersonal identifiers
*great = ensuring the security, integrity, and privacy of the user of a web browser
![Page 51: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/51.jpg)
How can we make web browsing great* again?Integrity:
content modificationslayout modificationsConfidentiality:
data storagetransmitted dataPrivacy:
access to sensorspersonal identifiers
*great = ensuring the security, integrity, and privacy of the user of a web browser
![Page 52: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/52.jpg)
Outlook: On the long term
Sandboxing of extensionsA different permission model
granularity?dynamic vs static?Better explanation for usersBetter analysis/test tools for extensions
Expect updates from us in the future . . .
![Page 53: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/53.jpg)
Outlook: On the short term (1/2)
Be aware of the riskCheck the vendor of the extension carefullyCheck the permissions (i.e., active domains)Use browser profiles
![Page 54: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/54.jpg)
Outlook: On the short term (2/2)Frequent updates vs Governance
![Page 55: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/55.jpg)
Thank you for your attention!Any questions or remarks?
Contact: Dr. Achim D. Brucker and Michael HerzbergDepartment of Computer ScienceUniversity of SheffieldRegent Court211 Portobello St.Sheffield S1 4DP, UK
� {a.brucker, msherzberg1}@sheffield.ac.uk� https://logicalhacking.com/blog/
![Page 56: The Evil Friend in Your Browser - Global AppSec Evil Friend... · As they also can communicate with any web-site or web-service, they can report both data and metadata to external](https://reader033.vdocuments.mx/reader033/viewer/2022042919/5f60d48118468f4fcc032ced/html5/thumbnails/56.jpg)
Document Classification and License Information
© 2017 LogicalHacking.com, Achim D. Brucker and Michael Herzberg {a.brucker, msherzberg1}@sheffield.ac.uk.This presentation is classified as Public (CC BY-NC-ND 4.0):Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives4.0 International Public License (CC BY-NC-ND 4.0).