Browser Extension Security Abhay Rana @capt_n3m0 IIT Roorkee 

Extensions? Browser 3rd party code Trust Better User Experience 

Browsers? Extension ✔ Addon ✖ Plugin ✖ 

Extension Security (Chrome) - Isolated Worlds - Privilege Separation - Permissions 

Threats Malicious Extensions: An attacker could install a malicious extension in the browser that could, theoretically, cause a lot of damage. Extension Vulnerabilities: The extension could in itself be vulnerable. - Insecure Coding practices - Developer negligence or incompetence 

Privilege Abuse 

0 452 1 627 2 264 3 108 4 74 5 71 6 24 7 20 8 12 9 7 11 2 12 1 13 1 21 1 Number of extra privileges sought Number of extensions 

Old statistics (April 2013) 

Extension Checker Pre-checks the extension's API usage and reports it. http://nullcon.captnemo.in/ 

Examples of privilege abuse Lightning Speed Dial (2M users) Yandex Weather (38k users) Facebook Themes (182k users) Hola Better Internet (12k users) 

Content Security Policy - Send HTTP Headers to save yourself from XSS. - Enabled by default in all Chrome Extensions - Disable Inline JS(script tags), eval (use JSON parsers instead), and href=”javascript:code”. Its not a magic bullet, but it does help in preventing a lot of attacks. see content-security-policy.com 

How to stay safe? - Use our extension checker (nullcon.captnemo.in) - Trust. - Read the source. - Use CSP