Ex-Ray: Detection of History-LeakingBrowser Extensions

Michael Weissbacher Northeastern University

Joint work with: Enrico Mariconti, Guillermo Suarez-Tangil,

Gianluca Stringhini, William Robertson, Engin Kirda

What are Browser Extensions? ●Additions to browser core functionality

●Powerful application access based on permissions

○ Modification of active pages

○ Modification of requests / responses

○ Often access to all visited pages

○ Access to cookies

○ Access to previous history

- Google Chrome C )(

D about:blank x

~ C (D about:blank

What are Browser Extensions?

'"' ~-",,.!:~<,:;:- "" ~.... '""

'""'°'-o l!!R!!II ~

:.."'!:'";~~ ~:::·:;:-'-'-·(11

Privacy Implications of Browser Extensions ●Permission system inadequate to contain history leaks ●Only modest permissions required to leak complete browsing history ●Collection sometimes mentioned in terms of service ●User expectation might not align with actual behavior ●Automatic updates of extensions can lead to future leaking behavior ●No unified way of detection or indication for users

Comparison Web Tracking and Extension Tracking

On Websites: – Opt-in: Website owner – Opt-out: Ad blockers or Tracker blockers

In Extensions: – (typically) all websites – Implicit Opt-in through installation – No opt-out

Motivation: Manual Analysis ●One library used across unrelated extensions to leak history

●42 extensions

●8M active users

●Findings documented in blog post

●Google deleted all extensions within 24 hours

●No change in policy

HoneyPot Probe: Overview ●Extensions run in isolation

●Use URLs unique to extension

●Browsing our website...

●... which is also available on the public Internet

●Monitor for incoming connections

• Execut ed I l I X Contacted .... ;J; . .... .-, I I I 30 • • , •• ID()()( ~

% ~; I I ~ 25 0 V) I I • • ••• >«• C I I I • •••• • 2 20 X

::-!r. lt"'" • Q)

Q) I I e eclC9C 'a E 15 • e II ••••x • ..c ;- ;-t 1 I I u 10 tc X f xj I xLI

• }·:·· 5 ac,cxx X • -- -0 llaDO(

2016-11 2016-12 2017-01 2017-02 2017-03 2017-04 2017-05 2017-06

35

HoneyPot Probe

HoneyPot Probe: Results

●Connections prove use of data: data is being acted on ●> 3M active users for these extensions ●Connection often immediately after execution ●Lower bound of leaks ●Indicators for collaboration ●Motivation for automated detection system

Ex-Ray: Overview ●System for automated detection of history leaks ●Goal: Robust Detection ● Method of data collection ● Traffic obfuscation / encryption ●Two complementary automated detection systems ●Additional triage system to assist analysts ●Based on Traffic analysis and browser instrumentation ●Analyzed extensions with more than 1,000 users(10,000+ extensions)

.06

6 1.04

"' ~ 5 >, .0

"' ~ 1 .02 >, .0 ..,

C: I Cl)

"' c Qj

"' "O "O 1 .00 - -Cl) Qj

.!::! .!::! 11)

0 E 0 3

z

0 2

I II 11' E 0 0 .98 z

0.96

...L ...L

Two Three Four 0 .94

Two Three Four

(a) Tracking extension. (b) Benign extensions.

Ex-Ray: Methodology

●Counterfactual analysis ●Based on properties oftracking behavior ●Modifications to historylead to modified network behavior ●Sent data increases as a function of history size

1

Findings ●10M+ active users were leaking their history ●10,691 extensions analyzed ●212 extensions flagged by Ex-Ray (28 wrongly identified - False Detection Rate: 0.27%) ●Two novel ways of leakage detected

Conclusion

●History leaks through browser extensions widespread ●Extension stores do not scan for history leaks ●Robust leak detection possible ●Possible remediation

○ Integration of leak detection into extension stores ○ Users should uninstall unused extensions

https://mweissbacher.com/blog/2017/10/05/ex-ray-finding-browser-extensions-that-spy-on-your-browsing-habits/