ex-ray: detection of history-leaking browser extensions · based on traffic analysis and browser...
TRANSCRIPT
Ex-Ray: Detection of History-LeakingBrowser Extensions
Michael Weissbacher Northeastern University
Joint work with: Enrico Mariconti, Guillermo Suarez-Tangil,
Gianluca Stringhini, William Robertson, Engin Kirda
What are Browser Extensions? ●Additions to browser core functionality
●Powerful application access based on permissions
○ Modification of active pages
○ Modification of requests / responses
○ Often access to all visited pages
○ Access to cookies
○ Access to previous history
- Google Chrome C )(
D about:blank x
~ C (D about:blank
What are Browser Extensions?
'"' ~-",,.!:~<,:;:- "" ~.... '""
'""'°'-o l!!R!!II ~
:.."'!:'";~~ ~:::·:;:-'-'-·(11
Privacy Implications of Browser Extensions ●Permission system inadequate to contain history leaks ●Only modest permissions required to leak complete browsing history ●Collection sometimes mentioned in terms of service ●User expectation might not align with actual behavior ●Automatic updates of extensions can lead to future leaking behavior ●No unified way of detection or indication for users
Comparison Web Tracking and Extension Tracking
On Websites: – Opt-in: Website owner – Opt-out: Ad blockers or Tracker blockers
In Extensions: – (typically) all websites – Implicit Opt-in through installation – No opt-out
Motivation: Manual Analysis ●One library used across unrelated extensions to leak history
●42 extensions
●8M active users
●Findings documented in blog post
●Google deleted all extensions within 24 hours
●No change in policy
HoneyPot Probe: Overview ●Extensions run in isolation
●Use URLs unique to extension
●Browsing our website...
●... which is also available on the public Internet
●Monitor for incoming connections
• Execut ed I l I X Contacted .... ;J; . .... .-, I I I 30 • • , •• ID()()( ~
% ~; I I ~ 25 0 V) I I • • ••• >«• C I I I • •••• • 2 20 X
::-!r. lt"'" • Q)
Q) I I e eclC9C 'a E 15 • e II ••••x • ..c ;- ;-t 1 I I u 10 tc X f xj I xLI
• }·:·· 5 ac,cxx X • -- -0 llaDO(
2016-11 2016-12 2017-01 2017-02 2017-03 2017-04 2017-05 2017-06
35
HoneyPot Probe
HoneyPot Probe: Results
●Connections prove use of data: data is being acted on ●> 3M active users for these extensions ●Connection often immediately after execution ●Lower bound of leaks ●Indicators for collaboration ●Motivation for automated detection system
Ex-Ray: Overview ●System for automated detection of history leaks ●Goal: Robust Detection ● Method of data collection ● Traffic obfuscation / encryption ●Two complementary automated detection systems ●Additional triage system to assist analysts ●Based on Traffic analysis and browser instrumentation ●Analyzed extensions with more than 1,000 users(10,000+ extensions)
.06
6 1.04
"' ~ 5 >, .0
"' ~ 1 .02 >, .0 ..,
C: I Cl)
"' c Qj
"' "O "O 1 .00 - -Cl) Qj
.!::! .!::! 11)
0 E 0 3
z
0 2
I II 11' E 0 0 .98 z
0.96
...L ...L
Two Three Four 0 .94
Two Three Four
(a) Tracking extension. (b) Benign extensions.
Ex-Ray: Methodology
●Counterfactual analysis ●Based on properties oftracking behavior ●Modifications to historylead to modified network behavior ●Sent data increases as a function of history size
1
Findings ●10M+ active users were leaking their history ●10,691 extensions analyzed ●212 extensions flagged by Ex-Ray (28 wrongly identified - False Detection Rate: 0.27%) ●Two novel ways of leakage detected
Conclusion
●History leaks through browser extensions widespread ●Extension stores do not scan for history leaks ●Robust leak detection possible ●Possible remediation
○ Integration of leak detection into extension stores ○ Users should uninstall unused extensions
https://mweissbacher.com/blog/2017/10/05/ex-ray-finding-browser-extensions-that-spy-on-your-browsing-habits/