Privacy Leakage Attacks in Browser by Colluding Extensions - - PowerPoint PPT Presentation

privacy leakage attacks in browser by colluding extensions
SMART_READER_LITE
LIVE PREVIEW

Privacy Leakage Attacks in Browser by Colluding Extensions - - PowerPoint PPT Presentation

Jan 25, 2023 290 likes •890 views

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

slide-1
SLIDE 1

Privacy Leakage Attacks in Browser by Colluding Extensions

Presentation by

Anil Saini1, Manoj Singh Gaur1, Vijay Laxmi1, Tushar Singhal1, Mauro Conti2

1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

10th International Conference of Information System and Security

16-20 Dec 2014, IDRBT, Hyderabad

December 20, 2014

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 1 / 57

slide-2
SLIDE 2

Outline

1 Browser Extensions

An Overview XPCOM Framework

2 Threats with Browser Extensions

Threats Overview Literature

3 Colluding Browser Extensions

Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation

4 Conclusions

Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 2 / 57

slide-3
SLIDE 3

Browser Extensions

Outline

1 Browser Extensions

An Overview XPCOM Framework

2 Threats with Browser Extensions

Threats Overview Literature

3 Colluding Browser Extensions

Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation

4 Conclusions

Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 3 / 57

slide-4
SLIDE 4

Browser Extensions

An Overview

Third party code in Firefox

  • Extension or Add-on
  • Plug-in
  • APIs

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 4 / 57

slide-5
SLIDE 5

Browser Extensions

An Overview

Powerful Privileges for Extensions

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 5 / 57

slide-6
SLIDE 6

Browser Extensions

An Overview

Firefox Extensions

  • What is Firefox Extension ?
  • Extensions are third-party softwares.
  • Extensions are add-ons.
  • Brighter Side?
  • Adds unforeseen rich functionality to the browser.
  • Customize and extend core functionality of browser.
  • Enhances browsing experience.
  • Darker Side?
  • Can be vulnerable and malicious.
  • Once exploited, grants system level access to attacker.
  • High privileges can cause critical attacks.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 6 / 57

slide-7
SLIDE 7

Browser Extensions

XPCOM Framework

XPCOM Architectural View

  • Cross-platform interaction framework

provides services within and across browser.

  • Development technologies: CSS, RDF,

XUL, XBL, JavaScript.

  • Interact with internal browser

components, host file system, network, etc.

  • Access to Browser APIs.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 7 / 57

slide-8
SLIDE 8

Browser Extensions

XPCOM Framework

XPCOM Interface

  • Interfaces are set of functionalities that is implemented by XPCOM

components.

  • An extension can call any functionality provided by the XPCOM

component as described in interfaces.

  • For example, a nsIFile interface describes properties and functions

that can be performed on files such as, read, write, execute.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 8 / 57

slide-9
SLIDE 9

Threats with Browser Extensions

Outline

1 Browser Extensions

An Overview XPCOM Framework

2 Threats with Browser Extensions

Threats Overview Literature

3 Colluding Browser Extensions

Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation

4 Conclusions

Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 9 / 57

slide-10
SLIDE 10

Threats with Browser Extensions

Threats Overview

Threats Categorizations

  • Privacy leakage (without informing users)
  • Vulnerable or malicious extension may leak private information such as

username, password, cookies.

  • Breach confidentiality and integrity of user data. E.g. Banking Trojan:

Man-in-the-Browser attack.

  • Privilege escalation
  • Gaining Browser and OS level access by leveraging existing Browser and

system-level vulnerabilities.

  • Executing critical applications
  • Accessing information from web applications.
  • Executing arbitrary process.
  • Access cross-domain network.
  • Access files from host file system.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 10 / 57

slide-11
SLIDE 11

Threats with Browser Extensions

Threats Overview

Point-of-Attacks

  • Browser Document Object Model (DOM)
  • Access to web page information, and cookies.
  • Cross-Platform Component Object Model (XPCOM) interfaces.
  • Access to system level resources, such as, network, process, host file

system.

  • JavaScript Methods
  • Malicious data injection points.
  • Browser APIs
  • Access to Browser resources, such as, bookmarks, history, cookies.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 11 / 57

slide-12
SLIDE 12

Threats with Browser Extensions

Threats Overview

Extension-based Attack: A Real Example

  • A MitB (Man-in-the-Browser) Trojan attack is a critical threat

effecting consumers and business banking customers.

  • A malicious extension can invoke actions like:
  • Modifies web transactions.
  • Manipulates web page information.
  • The challenges faced by user:
  • The attack is successfully executed on secured channel protected with

security mechanisms like SSL/PKI, two or three factor authentication.

  • Able to access information on the fly.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 12 / 57

slide-13
SLIDE 13

Threats with Browser Extensions

Literature

Can we stop malicious and vulnerable Extensions ??

  • Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings
  • f the 2009 Annual Computer Security Applications Conference (ACSAC’09).
  • Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser

Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (Sept.2011).

  • Kaan Onarlioglu, Mustafa Battal, William Robertson, and Engin Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL.

In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA-13). Springer-Verlag, 122-138.

  • Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, and Thibaud Lutellier. 2014. Effective detection of vulnerable

and malicious browser extensions. Computers & Security 47 (2014), 66-84.

  • ...

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 13 / 57

slide-14
SLIDE 14

Threats with Browser Extensions

Literature

Can we stop malicious and vulnerable Extensions ??

  • Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings
  • f the 2009 Annual Computer Security Applications Conference (ACSAC’09).
  • Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser

Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (Sept.2011).

  • Kaan Onarlioglu, Mustafa Battal, William Robertson, and Engin Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL.

In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA-13). Springer-Verlag, 122â138.

  • Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, and Thibaud Lutellier. 2014. Effective detection of vulnerable

and malicious browser extensions. Computers & Security 47 (2014), 66â84.

  • ...

Lets assume that these methods are full proof solutions....

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 14 / 57

slide-15
SLIDE 15

Colluding Browser Extensions

Outline

1 Browser Extensions

An Overview XPCOM Framework

2 Threats with Browser Extensions

Threats Overview Literature

3 Colluding Browser Extensions

Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation

4 Conclusions

Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 15 / 57

slide-16
SLIDE 16

Colluding Browser Extensions

Colluding Extensions

Objective

  • Assuming that attacks caused due to single extension are mitigated.
  • Can we bypass these mitigation techniques ???

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 16 / 57

slide-17
SLIDE 17

Colluding Browser Extensions

Colluding Extensions

Objective

  • Assuming that attacks caused due to single extension are mitigated.
  • Can we bypass these mitigation techniques ???

YES we can.... Using two or more Colluding extensions

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 17 / 57

slide-18
SLIDE 18

Colluding Browser Extensions

Colluding Extensions

Point of weakness

  • Weakness in JavaScript engine (SpiderMonkey) for Firefox browser in

handling the JavaScript objects.

  • SpiderMonkey provides two abstractions for executing scripts:

JSRuntime and JSContext.

  • Mozilla Firefox uses one JSRuntime for the entire browser.
  • The JSContext is a child of the JSRuntime. Many threads can be possible
  • Objects may be shared among JSContexts within a JSRuntime.
  • All the objects created during the execution of a script are allocated
  • n the Global Object Heap.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 18 / 57

slide-19
SLIDE 19

Colluding Browser Extensions

Colluding Extensions

Inter component communication (ICC) in Firefox

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 19 / 57

slide-20
SLIDE 20

Colluding Browser Extensions

Colluding Extensions

Collusion between two Extensions

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 20 / 57

slide-21
SLIDE 21

Colluding Browser Extensions

Colluding Extensions

Collusion between two Extensions

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 21 / 57

slide-22
SLIDE 22

Colluding Browser Extensions

Threat Model

ICC threat model

  • Observer Notification Collusion: A collusion using event notification

and sharing of object references.

  • Using nsIObserverService interface.
  • Preference Overriding: A ICC using preferences overriding of browser

and extensions.

  • Using nsIPrefService interface.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 22 / 57

slide-23
SLIDE 23

Colluding Browser Extensions

Threat Model

ICC threat model

  • Observer Notification Collusion: A collusion using event notification

and sharing of object references.

  • Using nsIObserverService interface.
  • Preference Overriding: A ICC using preferences overriding of browser

and extensions.

  • Using nsIPrefService interface.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 22 / 57

slide-24
SLIDE 24

Colluding Browser Extensions

Threat Model

Notification Interface: nsIObserverService

  • Observers are the objects that are notified on occurrence of an event.
  • Good way for objects to pass messages to each other without the objects having explicit knowledge
  • f one another.
  • Observer can listen to notifier string. This notifier string notifies an extension so that it can access an

shared object of another extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 23 / 57

slide-25
SLIDE 25

Colluding Browser Extensions

Threat Model

Notification Interface: nsIObserverService

  • Observers are objects that are notified on occurrence of an event.
  • Good way for objects to pass messages to each other without the objects having explicit

knowledge of one another.

  • Observer can listen to notifier string. This notifier string notifies an extension so that it can access

an shared object of another extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 24 / 57

slide-26
SLIDE 26

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 1

  • Extension Y has a functionality to read static and dynamic information from web page including the

information input by user at run-time.

  • Extension X is able to send information over network channel.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 25 / 57

slide-27
SLIDE 27

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 1

  • Extension Y has a functionality to read static and dynamic information from web page including the

information input by user at run-time.

  • Extension X is able to send information over network channel.
  • X uses shared Object reference to access the DOM information extracted by Y, and send it over

network to attack domain.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 26 / 57

slide-28
SLIDE 28

Colluding Browser Extensions

Attack Scenarios

Code Snippet for Attack Scenario 1

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 27 / 57

slide-29
SLIDE 29

Colluding Browser Extensions

Attack Scenarios

Code Snippet for Attack Scenario 1

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 28 / 57

slide-30
SLIDE 30

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 1

  • Extension X has a functionality to read static and dynamic information from web page from DOM.
  • Extension Y is able to modify the input information within DOM.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 29 / 57

slide-31
SLIDE 31

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 1

  • Extension X has a functionality to read static and dynamic information from web page from DOM.
  • Extension Y is able to modify the input information within DOM.
  • When victim user click on submit button, the modified information is sent to the credit server, and

with this click an account will be created on the server with download credits.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 30 / 57

slide-32
SLIDE 32

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 2

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 31 / 57

slide-33
SLIDE 33

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 2

  • Extension Y reads input information from a web page DOM, and also it can add new field to a web

page.

  • Extension X modifies the user detail by modifying DOM.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 32 / 57

slide-34
SLIDE 34

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 2

  • Extension Y reads input information from a web page DOM, and also it can add new field to a web

page.

  • Extension X modifies the user detail by modifying DOM.
  • When victim user clicks on submit button, the modified information is sent to the credit server, and

payment information is sent to attacker server.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 33 / 57

slide-35
SLIDE 35

Colluding Browser Extensions

Attack Scenarios

Object Collusion: Attack Scenario 3

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 34 / 57

slide-36
SLIDE 36

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • Browser preferences are denoted with Pb1, Pb2 ·,Pbn, and extension preferences are denoted with

Pe1, Pe2 ·,Pen.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 35 / 57

slide-37
SLIDE 37

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • Browser preferences are denoted with Pb1, Pb2 ·,Pbn, and extension preferences are denoted with

Pe1, Pe2 ·,Pen.

  • Malicious extension observes the notification when browser preference changes, and executes

malicious event.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 36 / 57

slide-38
SLIDE 38

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • Browser preferences are denoted with Pb1, Pb2 ·,Pbn, and extension preferences are denoted with

Pe1, Pe2 ·,Pen.

  • Malicious extension observes the notification when extension preference changes, and executes

malicious event.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 37 / 57

slide-39
SLIDE 39

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • A malicious extension alters the default preferences of browser and other extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 38 / 57

slide-40
SLIDE 40

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • A malicious extension alters the default preferences of browser and other extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 39 / 57

slide-41
SLIDE 41

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • A malicious extension alters the default preferences of browser and other extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 40 / 57

slide-42
SLIDE 42

Colluding Browser Extensions

Attack Scenarios

Preferences Interface: nsIPrefService

  • A malicious extension alters the default preferences of browser and other extension.
  • Security enhanced browser can be breached by a mis-configured preference.
  • Malicious extension changes security preference of either browser or extension.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 41 / 57

slide-43
SLIDE 43

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 1

  • Browser has many security related preferences.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 42 / 57

slide-44
SLIDE 44

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 1

  • Browser has many security related preferences.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 43 / 57

slide-45
SLIDE 45

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 1

  • Browser has many security related preferences.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 44 / 57

slide-46
SLIDE 46

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 1

  • Browser has many security related preferences.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 45 / 57

slide-47
SLIDE 47

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 1

  • Browser has many security related preferences.
  • An attacker can set or reset critical browser preferences through an extension having privileges to
  • verride the default preferences values.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 46 / 57

slide-48
SLIDE 48

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 2

  • Extensions use preferences for customizing itself.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 47 / 57

slide-49
SLIDE 49

Colluding Browser Extensions

Attack Scenarios

Overriding Preferences: Attack Scenario 2

  • Extensions use preferences for customizing itself.
  • Added a malicious domain (eg.malicious.com) in noScript using capability.policy.manoscript.sites

preference string.

  • Now it bypasses all its security checks provided by noScript for that domain.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 48 / 57

slide-50
SLIDE 50

Colluding Browser Extensions

Experimental Results

Results for attack scenarios executed on web domains

Banking Domains (50) Shopping Domains (50) Buy (Download) Credit Domains (50) Success Success Success Scenario 1 22% 100% 100% Scenario 2 NA 100% 100% Scenario 3 NA 78% 80%

  • Scenario 1 is 100% successful against shopping and download credit domain, whereas only few

bank websites allow the extensions capture credential information.

  • For Scenario 2, every tested website allowed our extension to modify the typed content on the fly.
  • The third attack scenario is successfully executed on 78% is of shopping domains and 80% of

download credit domains.

  • Some domains did not allowed to add extra field on the page, and if field is successfully added they

won’t allow to proceed further.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 49 / 57

slide-51
SLIDE 51

Colluding Browser Extensions

Experimental Results

Results showing Preferences Modification

Preference Risk after modifying preferences Security relevant browser preferences security.csp.enable enable/disable the content security policy of browser dom.disable_open_during_load Allows allows pop-up windows on browser if set to true dom.popup_allowed_events Adding entries to this list may allow unwanted pop-ups extensions.update.url Adding malicious url using this preference will change extension update source browser.safebrowsing.malware.enabled Do not download malware & blacklists do not check downloads if set to false noscript extension capability.policy.manoscript.sites Adding url to this preference will bypass all the security checks provided by noScript adblock extension extensions.adblockplus.whitelistschemes Using this preference an attacker can add and remove whitelisting rules WOT extension weboftrust.norepsfor Adding malicious domain using this preference will bypass the malicious domains

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 50 / 57

slide-52
SLIDE 52

Colluding Browser Extensions

Experimental Results

Effectiveness of colluding attacks

  • Our extensions are implemented in such a way that even a client side solutions would not be able to

detect information and data leakage.

1Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (Sept.2011). 2Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC’09). Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 51 / 57

slide-53
SLIDE 53

Colluding Browser Extensions

Mitigation

Possible mitigation techniques

  • Sandboxing
  • Running browser components in a sandbox environment with restricted

privileges.

  • Isolating web programs, extensions, plug-ins and browser components.
  • Each extensions should run in a separate address space.
  • Restricting extensions with Same Origin Policy.
  • Improving client side solutions
  • These solutions are meant for analyzing single extension at a time, and

hence remain ineffective if a malicious flow originates from two or more collusing extensions

  • Existing solutions should consider the objects created by

nsIObserverService as sensitive source as they can pass on sensitive information to other extensions.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 52 / 57

slide-54
SLIDE 54

Conclusions

Outline

1 Browser Extensions

An Overview XPCOM Framework

2 Threats with Browser Extensions

Threats Overview Literature

3 Colluding Browser Extensions

Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation

4 Conclusions

Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 53 / 57

slide-55
SLIDE 55

Conclusions

Conclusions

Conclusions

  • Firefox XPCOM interfaces expose to security threats, and exploits.
  • Our novel colluding attacks cause privacy leakage in browser.
  • The proposed PoC for Colluding attacks are effective against existing

client-side security techniques.

  • Future research aims to provide solutions that examine these security

issues, and devise effective countermeasures to improve the existing techniques.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 54 / 57

slide-56
SLIDE 56

Conclusions

Conclusions

Recommendations

  • Developers
  • Follow OWASP developer’s guide.
  • Read code of similar extensions for ideas on avoiding common bugs.
  • Security professionals
  • Adhere to the OWASP testing guide.
  • Watch for publications for new ideas on breaking extensions.
  • End-users
  • Don’t trust extensions! Specially third-party other than Mozilla store.
  • Check logs of security issues / Bugzilla.
  • Updating addons (after checking the above).
  • Consider Safe Mode (disable all extensions) before doing critical tasks.

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 55 / 57

slide-57
SLIDE 57

Conclusions

Conclusions

Thank You

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 56 / 57

slide-58
SLIDE 58

Conclusions

Conclusions

Questions

Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 57 / 57