Spying on the browser: dissecting the design of malicious extensions
Spying on the browser: dissecting the design of malicious extensions
Spying on the browser: dissecting the design of malicious extensions
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FEATURE<br />
exploited to take c<strong>on</strong>trol <strong>of</strong> <strong>the</strong> entire<br />
system. Related work <strong>on</strong> securing extensi<strong>on</strong>s<br />
has been d<strong>on</strong>e to show <strong>the</strong> process<br />
<strong>of</strong> <strong>design</strong>ing secure extensi<strong>on</strong>s free from<br />
vulnerabilities. 5 Of course, <strong>malicious</strong><br />
extensi<strong>on</strong>s do not care that extensi<strong>on</strong>s<br />
should be secure.<br />
Generally, <strong>the</strong> aim <strong>of</strong> <strong>malicious</strong> extensi<strong>on</strong>s<br />
is to steal sensitive data from<br />
<strong>the</strong> user and transfer it to an attackerc<strong>on</strong>trolled<br />
domain. Malicious extensi<strong>on</strong>s<br />
exploit <strong>the</strong> trust model used by <strong>the</strong><br />
<strong>browser</strong> to set a communicati<strong>on</strong> channel<br />
between <strong>the</strong> <strong>browser</strong> and <strong>the</strong> website.<br />
Usually, this process is completed when<br />
a sessi<strong>on</strong> is created with a target website<br />
hosted <strong>on</strong> third-party servers. The<br />
point is that <strong>malicious</strong> extensi<strong>on</strong>s are not<br />
protected by HTTP running over SSL.<br />
Most users have a false sense <strong>of</strong> security<br />
when websites use HTTPS. However,<br />
this is not justified because HTTPS<br />
protects users <strong>on</strong>ly from transport layer<br />
attacks. Ir<strong>on</strong>ically, HTTPS actually<br />
protects <strong>the</strong> <strong>malicious</strong> sessi<strong>on</strong> from such<br />
attacks. HTTPS preserves <strong>the</strong> integrity<br />
<strong>of</strong> data, but because <strong>the</strong> <strong>malicious</strong><br />
code is within <strong>the</strong> <strong>browser</strong>, data can be<br />
manipulated even before it enters <strong>the</strong><br />
network layer.<br />
Why doesn’t anti-malware s<strong>of</strong>tware<br />
catch <strong>malicious</strong> extensi<strong>on</strong>s? Malicious<br />
extensi<strong>on</strong>s are not scanned by antimalware<br />
soluti<strong>on</strong>s because extensi<strong>on</strong>s<br />
are c<strong>on</strong>sidered to be secure comp<strong>on</strong>ents<br />
by default. We have seen some <strong>browser</strong><br />
plug-in integrity checkers that detect<br />
<strong>the</strong> presence <strong>of</strong> secure and insecure<br />
plug-ins based <strong>on</strong> <strong>the</strong> versi<strong>on</strong> informati<strong>on</strong>.<br />
However, for extensi<strong>on</strong>s, this versi<strong>on</strong><br />
scanning technique is not effective<br />
because extensi<strong>on</strong>s are not proprietary<br />
code used by vendors or s<strong>of</strong>tware companies.<br />
As a result, <strong>malicious</strong> extensi<strong>on</strong>s are<br />
not impacted by antivirus soluti<strong>on</strong>s.<br />
The basic operati<strong>on</strong> is:<br />
1. A user visits a site that has been<br />
infected with <strong>malicious</strong> code.<br />
2. The <strong>malicious</strong> site installs a <strong>malicious</strong><br />
extensi<strong>on</strong> into <strong>the</strong> user’s <strong>browser</strong>.<br />
3. Within <strong>the</strong> <strong>browser</strong> <strong>the</strong> <strong>malicious</strong><br />
extensi<strong>on</strong> snoops <strong>on</strong> a user’s <strong>browser</strong><br />
activity.<br />
4. Informati<strong>on</strong> collected by <strong>the</strong> <strong>malicious</strong><br />
extensi<strong>on</strong> is sent to an attacker’s<br />
remote server.<br />
Listing 2: Wrapper functi<strong>on</strong> to steal data in forms<br />
window.document.<strong>on</strong>submit = scan_forms;<br />
//Scan <strong>the</strong> document forms<br />
functi<strong>on</strong> scan_forms() {<br />
var forms = c<strong>on</strong>tent.document.getElementsByTagName(‘form’);<br />
for(var i=0; i