9/1/2010 Josh Holat
Written by Josh Holat
All four of today’s most popular web browsers - Internet Explorer, Firefox, Safari, and Chrome - support extensions, pieces of software from third parties that function inside of a browser and add functionality. Since these extensions are usually promoted through online marketplaces for each browser, they are extremely easy to find and install. Because they are are often advertised by and downloaded from the websites of trustworthy companies like Google and Mozilla, users inherently trust the extensions themselves.
A team of Illinois computer science researchers suggest that in many cases, this trust might be misplaced. In a research paper entitled “VEX: Vetting Browser Extensions For Security Vulnerabilities”, Sruthi Bandhakavi, an Illinois PhD student co-advised by Marianne Winslett and P. Madhusudan and helped by Sam T. King, outlines how subtle vulnerabilities in browser extensions could lead to disastrous attacks. The work won the best paper award at the 19th USENIX Security Symposium held at Washington D.C., an event that brings researchers, programmers, and others interested in the latest security advancements together.
What do we have to worry about? “Firefox extensions run with full browser privileges, so attackers can potentially exploit extension weaknesses to take over the browser, steal cookies or protected passwords, compromise confidential information, or even hijack the host system, without revealing their actions to the user,” says Bandhakavi. Essentially, installing one of these vulnerable extensions is like opening a doorway to sites with malicious intent who know how to exploit those weaknesses. Even more unfortunate is that this type of attack can’t be found or stopped by antivirus software.
How can we stop this? Currently, extensions are vetted, or examined, for security vulnerabilities manually. However, Bandhakavi’s paper presents VEX, “a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions.” In short, this program will leave less room for human error when analyzing extensions for potentially dangerous pathways within the browser.
The framework presented by this student has already scanned thousands of extensions and uncovered six exploitable vulnerabilities (three of which were previously unknown) and hundreds of examples of bad programming practices that may lead to security vulnerabilities. For example, it found that versions 0.5.7 and 0.5.9 of Wikipedia Toolbar can allow malicious JavaScript code to be run at root level within Firefox, giving the code access to pretty much anything it would ask for. Furthermore, her work has also uncovered some bad programming practices put in to place by extension developers who simply may not know that their code is vulnerable because not everyone is a security expert. These practices were found in hundreds of extensions and can be the first step to a major vulnerability.
“The main target of this work is the extension editors (people who vet extensions before they are made public), who could use this tool to analyze thousands of extensions simultaneously,” claims Bandhakavi. The people controlling the extension marketplaces (Google, Apple, etc) often don’t have the tools to extensively test these extensions adds Prof. Parthasarathy. Put that together and it’s easy to see that the the aim of their framework is to “help [these companies] find the vulnerabilities before they affect the populace at large” by making it easier and faster to do so. That said, Bandhakavi hopes her work can also help to educate extensions developers in understanding ways their code could be compromised.
While her program only works on Firefox extensions currently, Bandhakavi plans to modify it to also analyze Chrome extensions next.