$30 off During Our Annual Pro Sale. View Details »

Browser Extension Security

Nemo
February 13, 2014
Research
0
230

Browser Extension Security

Presented at Nullcon - 2014 as a night talk.

Nemo

February 13, 2014
Tweet

More Decks by Nemo

See All by Nemo
endoflife.date Recommendations
captn3m0
1
170
Sanskari Proxy
captn3m0
0
38
Laravel Upgrade Stories
captn3m0
0
59
Terraforming Tatooine
captn3m0
0
180
You don't need Blockchain
captn3m0
0
160
hillhacks quiz 2017
captn3m0
0
180
Security Horror stories in Payments
captn3m0
0
370
All Software Sucks
captn3m0
0
190
Hillhacks Quiz 2016
captn3m0
0
120

Other Decks in Research

See All in Research
自作パケット処理系の性能測定と可視化&改善のPDCAを回して最強のパケット処理系の作り方を学ぼう / Let's Measure the Performance of Packet Processing System with Python Tools.
takehaya
3
2.1k
拡散モデルによる画像生成(CVIMチュートリアル)
mi141
6
880
最先端NLP勉強会2023
miyuoba
3
210
MediaGnosis IEEE ICIP2023 Industry Seminar
ryomasumura
0
220
SNLP2023:Is GPT-3 a Good Data Annotator?
yukizenimoto
2
640
Conservation Laws for Gradient Flows
gpeyre
1
700
Google Cloud Next’23「Title:出店ブースで10社以上におすすめ機能を質問してきた」
yasumuusan
0
380
マルチリンガルな言語モデル入門:これまでとこれから
ryou0634
2
2.1k
近似最近傍探索とVector DBの理論的背景
matsui_528
2
310
機械学習における重要度重み付けとその応用
mkimura
3
1.2k
LLM Fine-Tuning (東大松尾研LLM講座 Day5資料)
schulta
20
7.6k
INTERSPEECH 2023 T5 Part4: Source Separation Based on Deep Source Generative Models and Its Self-Supervised Learning
yoshipon
2
240

Featured

See All Featured
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
How to name files
jennybc
59
87k
Statistics for Hackers
jakevdp
788
220k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
YesSQL, Process and Tooling at Scale
rocio
159
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Become a Pro
speakerdeck
PRO
8
3.6k
Automating Front-end Workflow
addyosmani
1354
200k
Unsuck your backbone
ammeep
660
56k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
44
12k

Transcript

  1. Browser Extension
    Security
    Abhay Rana
    @capt_n3m0
    IIT Roorkee

    View Slide

  2. Extensions?
    Browser
    3rd party
    code
    Trust
    Better User
    Experience

    View Slide

  3. Browsers?
    Extension

    Addon

    Plugin

    View Slide

  4. Extension Security (Chrome)
    - Isolated Worlds
    - Privilege Separation
    - Permissions

    View Slide

  5. Threats
    Malicious Extensions: An attacker could install a malicious
    extension in the browser that could, theoretically, cause a
    lot of damage.
    Extension Vulnerabilities: The extension could in itself be
    vulnerable.
    - Insecure Coding practices
    - Developer negligence or incompetence

    View Slide

  6. Privilege Abuse

    View Slide

  7. 0 452
    1 627
    2 264
    3 108
    4 74
    5 71
    6 24
    7 20
    8 12
    9 7
    11 2
    12 1
    13 1
    21 1
    Number of extra privileges sought
    Number of extensions

    View Slide

  8. Old statistics (April 2013)

    View Slide

  9. Extension Checker
    Pre-checks the extension's API usage and reports it.
    http://nullcon.captnemo.in/

    View Slide

  10. Examples of privilege abuse
    Lightning Speed Dial (2M users)
    Yandex Weather (38k users)
    Facebook Themes (182k users)
    Hola Better Internet (12k users)

    View Slide

  11. Content Security Policy
    - Send HTTP Headers to save yourself from XSS.
    - Enabled by default in all Chrome Extensions
    - Disable Inline JS(script tags), eval (use JSON
    parsers instead), and href=”javascript:code”.
    Its not a magic bullet, but it does help in
    preventing a lot of attacks.
    see content-security-policy.com

    View Slide

  12. How to stay safe?
    - Use our extension checker (nullcon.captnemo.in)
    - Trust.
    - Read the source.
    - Use CSP

    View Slide