Browser Extension Security

Transcript

1. Browser Extension Security Abhay Rana @capt_n3m0 IIT Roorkee

2. Extensions? Browser 3rd party code Trust Better User Experience

3. Browsers? Extension ✔ Addon ✖ Plugin ✖

4. Extension Security (Chrome) - Isolated Worlds - Privilege Separation -

   Permissions

5. Threats Malicious Extensions: An attacker could install a malicious extension

   in the browser that could, theoretically, cause a lot of damage. Extension Vulnerabilities: The extension could in itself be vulnerable. - Insecure Coding practices - Developer negligence or incompetence

6. Privilege Abuse

7. 0 452 1 627 2 264 3 108 4 74

   5 71 6 24 7 20 8 12 9 7 11 2 12 1 13 1 21 1 Number of extra privileges sought Number of extensions

8. Old statistics (April 2013)

9. Extension Checker Pre-checks the extension's API usage and reports it.

   http://nullcon.captnemo.in/

10. Examples of privilege abuse Lightning Speed Dial (2M users) Yandex

    Weather (38k users) Facebook Themes (182k users) Hola Better Internet (12k users)

11. Content Security Policy - Send HTTP Headers to save yourself

    from XSS. - Enabled by default in all Chrome Extensions - Disable Inline JS(script tags), eval (use JSON parsers instead), and href=”javascript:code”. Its not a magic bullet, but it does help in preventing a lot of attacks. see content-security-policy.com

12. How to stay safe? - Use our extension checker (nullcon.captnemo.in)

    - Trust. - Read the source. - Use CSP