Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Browser Extension Security

929e39cbad5d2599dfe72fe89e06de2a?s=47 Nemo
February 13, 2014

Browser Extension Security

Presented at Nullcon - 2014 as a night talk.

929e39cbad5d2599dfe72fe89e06de2a?s=128

Nemo

February 13, 2014
Tweet

Transcript

  1. Browser Extension Security Abhay Rana @capt_n3m0 IIT Roorkee

  2. Extensions? Browser 3rd party code Trust Better User Experience

  3. Browsers? Extension ✔ Addon ✖ Plugin ✖

  4. Extension Security (Chrome) - Isolated Worlds - Privilege Separation -

    Permissions
  5. Threats Malicious Extensions: An attacker could install a malicious extension

    in the browser that could, theoretically, cause a lot of damage. Extension Vulnerabilities: The extension could in itself be vulnerable. - Insecure Coding practices - Developer negligence or incompetence
  6. Privilege Abuse

  7. 0 452 1 627 2 264 3 108 4 74

    5 71 6 24 7 20 8 12 9 7 11 2 12 1 13 1 21 1 Number of extra privileges sought Number of extensions
  8. Old statistics (April 2013)

  9. Extension Checker Pre-checks the extension's API usage and reports it.

    http://nullcon.captnemo.in/
  10. Examples of privilege abuse Lightning Speed Dial (2M users) Yandex

    Weather (38k users) Facebook Themes (182k users) Hola Better Internet (12k users)
  11. Content Security Policy - Send HTTP Headers to save yourself

    from XSS. - Enabled by default in all Chrome Extensions - Disable Inline JS(script tags), eval (use JSON parsers instead), and href=”javascript:code”. Its not a magic bullet, but it does help in preventing a lot of attacks. see content-security-policy.com
  12. How to stay safe? - Use our extension checker (nullcon.captnemo.in)

    - Trust. - Read the source. - Use CSP