Context
Browser extension-related attacks Browser’s extensions extend the functionality of a web browser, enhancing browsing experience and providing extra useful functionalities (e.g., video extractors, thumbnail generators, form fillers, etc). The availability of extension may even influence how popular a browser is
- malicious or “benign-but-buggy” extensions may be misused by attackers
Many Firefox extensions are over-privileged (2010) and display insecure programming practices.
Background on Firefox extension Legacy Firefox extensions can leverage a rich API through a framework called XPCOM (Cross Platform Component Object Model). XPCOM allows the development of components, each defining a set of interfaces.
- Firefox extensions are usually written in JavaScript and can interoperate with XPCOM via a technology called XPConnect
- Firefox extensions can access filesystem, network and stored passwords
- Firefox extensions have full control over the visual appearance and functionality of the browser window. The GUI (graphical user interface) of any window can be modified via XUL (XML User Interface Language). This allow malicious browser extensions to design clickjacking attacks
- Namespace collisions. The legacy XPCOM framework is designed to allow all extensions to share the same JavaScript namespace. This means that a malicious extension could access variables defined by other extensions to steal sensitive information or to overwrite functions and objects (data leakage)
- A modern framework for developing secure Firefox extensions is Add-on SDK (project Jetpack). This framework ensures isolation between modules.
- Existing browser extensions (legacy extensions) are not easily portable to the Add-on SDK
Contributions
- a policy enforcement approach to ensure that legacy Firefox extensions do not engage in undesired malicious activities (XPCOM attacks, malicious modifications of GUI, JS namespace collisions)
- an extension called SENTINEL is proposed to defend against malicious Firefox extensions
Approach
SENTINEL acts as a preprocessor which automatically analyzes and modifies a target extension without the user’s intervention. The user can create and edit policies to tune the SENTINEL behavior
- SENTINEL monitors and intercepts all XPCOM and XUL element accesses requested by JavaScript Firefox extensions at runtime, analyzes the source, target(s), type and parameters of the operation performed, and allows or denies access by consulting a local policy database
Evaluation
7 attack scenarios (data exfiltration, RCE (Remote Code Execution), saved password theft, preference modification, phishing, clickjacking, JavaScript namespace collision) were design to evaluate SENTINEL and the extension was able to defend against all of them
32 out of 50 tested legacy extensions were reported as malicious. It is not clear if these are false positives, since these extensions were benign but could be used for launching attacks.
Limits
- The development of XPCOM policies for a given extension requires a good understanding of its behavior, which is difficult for the average user
- Usage of outdated Firefox SDK
Starting with Firefox 57 (Quantum), released in November 2017, Mozilla has completely abandoned XUL/XPCOM and Jetpack, adopting a new extension system called WebExtensions API. WebExtensions are inspired by the system used by Chrome and are:
- Isolated and secure (extensions cannot interfere with each other)
- Cross-browser compatible (with Chrome, Edge, Opera)
- Based on standard JavaScript, HTML and CSS
- Managed via declarative permissions
WARNING
Legacy and dangerous browser extensions are not executable anymore