Automated Detection of Firefox Extension-Reuse Vulnerabilities

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration)

Major web browsers provide extension mechanisms that allow third parties to modify the browser's behavior, enhance its functionality and GUI, and integrate it with popular web services. Extensions can often access private browsing information such as cookies, history, password stores and sensitive system resources. Consequently, malicious extensions, or attacks directed at legitimate vulnerable extensions, pose a significant security risk to users. The research community presented studies and tools that analyze the security properties of extensions and proposed various defenses against these threats. However, the possible interactions between multiple browser extensions have not been well-studied from a security perspective. In this presentation, we identify a novel extension-reuse vulnerability that allows adversaries to launch stealthy attacks against users. This attack uses the existing functionality from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself. We then present CROSSFIRE, a lightweight static analyzer for Firefox legacy extensions to automatically discover instances of extension-reuse vulnerabilities, generate exploits that confirm the presence of vulnerabilities, and output exploit templates to assist users of the tool in rapidly constructing proof-of-concept exploits. We analyzed 2,000 Firefox extensions with CrossFire and found that popular extensions, downloaded by millions of users, contain numerous exploitable extension-reuse vulnerabilities. We also performed a case study to show that malicious extensions exploiting extension-reuse vulnerabilities are indeed effective at cloaking themselves from extension vetters.

Presenters:

• William Robertson - Northeastern University
  William Robertson is an assistant professor of Computer Science at Northeastern University in Boston, and co-directs the NEU Systems Security Lab. His research revolves around improving the security of operating systems, mobile devices, and the web, making use of techniques such as security by design, program analysis, and anomaly detection. William is co-chair of ACSAC 2015-2016, co-chaired WOOT 2013, chaired DIMVA 2012, and has participated on the program committees of a number of top-tier systems security venues, including IEEE S&P, USENIX Security, ACM CCS, NDSS and RAID. He is the author of more than forty peer-reviewed journal and conference papers.
• Ahmet Buyukkayhan - Northeastern University
  Ahmet Salih Buyukkayhan is a PhD candidate at Northeastern University in Boston, and a member of the NEU Systems Security Lab. His research interests includes Internet security and operating system security topics, with a focus on web browser security. He has authored peer-reviewed conference and journal papers in top-tier security venues, including NDSS and Computers & Security journal. He has received MS and BS degrees in Computer Engineering from Bogazici University and Istanbul Technical University in Istanbul, respectively. Previously, he worked more than five years in R&D division of a global telecom company.

Links:

• https://www.blackhat.com/asia-16/briefings.html#automated-detection-of-firefox-extension-reuse-vulnerabilities
• https://www.youtube.com/watch?v=s9TcgKLhreY
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Buyukkayhan-Automated-Detection-Of-Firefox-Extension-Reuse-Vulnerabilities.pdf

Similar Presentations:

• Black Hat USA 2017 / Game of Chromes: Owning the Web with Zombie Chrome Extensions
• DerbyCon 8.0 Evolution (2018) / Offensive Browser Extension Development
• DEF CON 29 (2021) / Extension-Land: exploits and rootkits in your browser extensions