Abstract
Since their introduction in the 1990’s, users have adopted internet browsers as a convenient method of interacting with computers and servers whether collocated with the user or located across the planet. As browsers have become more sophisticated, additional capabilities have been made available to users through browser extensions. When written by trusted agents, these browser extensions provide safeguards for users, but browser extensions can also be written so that a user’s data can be extracted and used for purposes the user would never agree to. This paper began with the exploration of extensions in four popular browsers: Safari, Firefox, Chrome, and Internet Explorer (Edge) and the author explored the security and privacy practices inherent within the extensions, but only two of these browsers will be examined in this paper. Safari is eliminating all extensions outside of its tightly controlled delivery system beginning with the debut of its new operating system in September 2018 and Internet Explorer is being replaced by Edge, which is also tightly controlled by Microsoft. Presumably, Safari and Edge extensions will be secure once the developers submit the code and it is reviewed before the extensions are published. Because there are literally thousands of browser extensions it is not possible to examine all of them in a single paper, but it is the intent of the author to establish an evaluation framework so browser extensions can be objectively scored.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
StatCounter: Desktop browser market share worldwide. StatCounter, 24 July 2018. [Online]. Available http://gs.statcounter.com/browser-market-share. Accessed 24 July 2018
Chaffin, B.: Apple Releases Safari 12 for High Sierra and Sierra, Combats Ad-Tracking and Increases Security, The Mac Observer, 17 Sept 2018. [Online]. Available https://www.macobserver.com/news/product-news/safari-12-macos-ad-tracking-security/. Accessed 27 Sept 2018
Golubovic, N.: Attacking browser extensions, 3 May 2016. [Online]. Available https://golubovic.net/thesis/master.pdf. Accessed 25 July 2018
Hoffman, C.: Beginner Geek: everything you need to know about browser extensions, How-To Geek, 1 Aug 2013. [Online]. Available https://www.howtogeek.com/169080/beginner-geek-everything-you-need-to-know-about-browser-extensions/. Accessed 25 July 2018
Dornhackl, H., Kadletz, K., Luh, R., Tavolato, P.: Defining malicious behavior. In: 2014 Ninth International Conference on Availability, Reliability and Security, Fribourg, Switzerland (2014)
Cisco: Cisco 2017 Midyear Cybersecurity Report, July 2017. [Online]. Available https://www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/cisco-2017-midyear-cybersecurity-report.pdf. Accessed 25 July 2018
Bandhakavi, S., Tiku, N., Pittman, W., King, S., Madhusudan, P., Winslett, M.: VEX: Vetting Browser Extensions For Security Vulnerabilities, pp. 91–99. Association for Computing Machinery, Sept 2011
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of the 23rd Usenix Security Symposium, San Diego (2014)
Liu, L., Zhang, X., Uan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: 19th Network and Distributed System Security Symposium (NDSS ’12). San Diego, California (2012)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities, 18 Dec 2009. [Online]. Available http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.378.8542&rep=rep1&type=pdf. Accessed 26 July 2018
Schuh, J.: Saying Goodbye to Our Old Friend NPAPI, Google, 23 Sept 2013. [Online]. Available https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html. Accessed 1 August 2018
Beaucamps, P., Reynaud, D.: Malicious firefox extensions. In: Symposium sur la scurit des techniques d’information et de communication. Rennes, France (2008)
Ter Louw, M., Lim, J., Venkatakrishnan, V.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)
Henry, A.: The best browser extensions that protect your privacy, Lifehacker, 31 Aug 2015. [Online]. Available https://lifehacker.com/the-best-browser-extensions-that-protect-your-privacy-479408034. Accessed 26 July 2018
Burlacu, A.: Browser Extension Secretly Stole Chrome And Firefox Users’ Entire Browsing History, TechTimes, 5 July 2018. [Online]. Available https://www.techtimes.com/articles/231851/20180706/browser-extension-secretly-stole-chrome-and-firefox-users-entire-browsing-history.htm. Accessed 26 July 2018
Osborne, C.: Firms buy popular Chrome extensions to inject malware, ads, ZDNet, 20 Jan 2014. [Online]. Available https://www.zdnet.com/article/firms-buy-popular-chrome-extensions-to-inject-malware-ads/. Accessed 26 July 2018
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 32nd IEEE Symposium on Security and Privacy, Berkley, California (2011)
Cobb, M.: Web browser extension security: Mitigating browser plug-in threats, SearchSecurity, Nov 2013. [Online]. Available https://searchsecurity.techtarget.com/tip/Web-browser-extension-security-Mitigating-browser-plug-in-threats. Accessed 26 July 2018
Constantin, L.: Researcher to demonstrate feature-rich malware that works as a browser extension, ComputerWorld, 24 Oct 2012. [Online]. Available https://www.computerworld.com/article/2492866/desktop-apps/researcher-to-demonstrate-feature-rich-malware-that-works-as-a-browser-extension.html. Accessed 26 July 2018
Martin, D., Smith, R., Brittain, M., Fetch, I., Wu, H.: The privacy practices of Web browser extensions. Commun. ACM 44(2), 45–50 (2001)
Kyrnin, J.: How to Use the HTTP Referer, LifeWire, 4 Apr 2018. [Online]. Available https://www.lifewire.com/how-to-use-http-referer-3471200. Accessed 26 July 2018
Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: International World Wide Web Conference Committee, Perth, Australia (2017)
Reeder, R., Porter, A., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems Paper, Montreal, Canada (2018)
Hoffman, C.: Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program, How-To Geek, 2 Aug 2013. [Online]. Available https://www.howtogeek.com/169139/sandboxes-explained-how-theyre-already-protecting-you-and- how-to-sandbox-any-program/. Accessed 1 Aug 2018
Madrigal, A.: Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, The Atlantic, 1 Mar 2012. [Online]. Available https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/. Accessed 1 Aug 2018
CreditCards: Study: Credit card agreements unreadable to most Americans, CreditCards, 16 Sept 2016. [Online]. Available https://www.creditcards.com/credit-card-news/unreadable-card-agreements-study.php. Accessed 1 Aug 2018
Knight, J.: Add New Functionality to Your Browser with Extensions, Gadget Hacks, 18 Dec 2017. [Online]. Available https://android.gadgethacks.com/how-to/firefox-mobile-101-add-new-functionality-your-browser-with-extensions-0181656/. Accessed 24 July 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ursell, S., Hayajneh, T. (2020). Desktop Browser Extension Security and Privacy Issues. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_59
Download citation
DOI: https://doi.org/10.1007/978-3-030-12385-7_59
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12384-0
Online ISBN: 978-3-030-12385-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)