Skip to main content
SpringerLink
Log in

Desktop Browser Extension Security and Privacy Issues

  • Conference paper
  • First Online:
Advances in Information and Communication (FICC 2019)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 70))

Included in the following conference series:

  • 1582 Accesses

Abstract

Since their introduction in the 1990’s, users have adopted internet browsers as a convenient method of interacting with computers and servers whether collocated with the user or located across the planet. As browsers have become more sophisticated, additional capabilities have been made available to users through browser extensions. When written by trusted agents, these browser extensions provide safeguards for users, but browser extensions can also be written so that a user’s data can be extracted and used for purposes the user would never agree to. This paper began with the exploration of extensions in four popular browsers: Safari, Firefox, Chrome, and Internet Explorer (Edge) and the author explored the security and privacy practices inherent within the extensions, but only two of these browsers will be examined in this paper. Safari is eliminating all extensions outside of its tightly controlled delivery system beginning with the debut of its new operating system in September 2018 and Internet Explorer is being replaced by Edge, which is also tightly controlled by Microsoft. Presumably, Safari and Edge extensions will be secure once the developers submit the code and it is reviewed before the extensions are published. Because there are literally thousands of browser extensions it is not possible to examine all of them in a single paper, but it is the intent of the author to establish an evaluation framework so browser extensions can be objectively scored.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. StatCounter: Desktop browser market share worldwide. StatCounter, 24 July 2018. [Online]. Available http://gs.statcounter.com/browser-market-share. Accessed 24 July 2018

  2. Chaffin, B.: Apple Releases Safari 12 for High Sierra and Sierra, Combats Ad-Tracking and Increases Security, The Mac Observer, 17 Sept 2018. [Online]. Available https://www.macobserver.com/news/product-news/safari-12-macos-ad-tracking-security/. Accessed 27 Sept 2018

  3. Golubovic, N.: Attacking browser extensions, 3 May 2016. [Online]. Available https://golubovic.net/thesis/master.pdf. Accessed 25 July 2018

  4. Hoffman, C.: Beginner Geek: everything you need to know about browser extensions, How-To Geek, 1 Aug 2013. [Online]. Available https://www.howtogeek.com/169080/beginner-geek-everything-you-need-to-know-about-browser-extensions/. Accessed 25 July 2018

  5. Dornhackl, H., Kadletz, K., Luh, R., Tavolato, P.: Defining malicious behavior. In: 2014 Ninth International Conference on Availability, Reliability and Security, Fribourg, Switzerland (2014)

    Google Scholar 

  6. Cisco: Cisco 2017 Midyear Cybersecurity Report, July 2017. [Online]. Available https://www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/cisco-2017-midyear-cybersecurity-report.pdf. Accessed 25 July 2018

  7. Bandhakavi, S., Tiku, N., Pittman, W., King, S., Madhusudan, P., Winslett, M.: VEX: Vetting Browser Extensions For Security Vulnerabilities, pp. 91–99. Association for Computing Machinery, Sept 2011

    Google Scholar 

  8. Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of the 23rd Usenix Security Symposium, San Diego (2014)

    Google Scholar 

  9. Liu, L., Zhang, X., Uan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: 19th Network and Distributed System Security Symposium (NDSS ’12). San Diego, California (2012)

    Google Scholar 

  10. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities, 18 Dec 2009. [Online]. Available http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.378.8542&rep=rep1&type=pdf. Accessed 26 July 2018

  11. Schuh, J.: Saying Goodbye to Our Old Friend NPAPI, Google, 23 Sept 2013. [Online]. Available https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html. Accessed 1 August 2018

  12. Beaucamps, P., Reynaud, D.: Malicious firefox extensions. In: Symposium sur la scurit des techniques d’information et de communication. Rennes, France (2008)

    Google Scholar 

  13. Ter Louw, M., Lim, J., Venkatakrishnan, V.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)

    Article  Google Scholar 

  14. Henry, A.: The best browser extensions that protect your privacy, Lifehacker, 31 Aug 2015. [Online]. Available https://lifehacker.com/the-best-browser-extensions-that-protect-your-privacy-479408034. Accessed 26 July 2018

  15. Burlacu, A.: Browser Extension Secretly Stole Chrome And Firefox Users’ Entire Browsing History, TechTimes, 5 July 2018. [Online]. Available https://www.techtimes.com/articles/231851/20180706/browser-extension-secretly-stole-chrome-and-firefox-users-entire-browsing-history.htm. Accessed 26 July 2018

  16. Osborne, C.: Firms buy popular Chrome extensions to inject malware, ads, ZDNet, 20 Jan 2014. [Online]. Available https://www.zdnet.com/article/firms-buy-popular-chrome-extensions-to-inject-malware-ads/. Accessed 26 July 2018

  17. Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 32nd IEEE Symposium on Security and Privacy, Berkley, California (2011)

    Google Scholar 

  18. Cobb, M.: Web browser extension security: Mitigating browser plug-in threats, SearchSecurity, Nov 2013. [Online]. Available https://searchsecurity.techtarget.com/tip/Web-browser-extension-security-Mitigating-browser-plug-in-threats. Accessed 26 July 2018

  19. Constantin, L.: Researcher to demonstrate feature-rich malware that works as a browser extension, ComputerWorld, 24 Oct 2012. [Online]. Available https://www.computerworld.com/article/2492866/desktop-apps/researcher-to-demonstrate-feature-rich-malware-that-works-as-a-browser-extension.html. Accessed 26 July 2018

  20. Martin, D., Smith, R., Brittain, M., Fetch, I., Wu, H.: The privacy practices of Web browser extensions. Commun. ACM 44(2), 45–50 (2001)

    Article  Google Scholar 

  21. Kyrnin, J.: How to Use the HTTP Referer, LifeWire, 4 Apr 2018. [Online]. Available https://www.lifewire.com/how-to-use-http-referer-3471200. Accessed 26 July 2018

  22. Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: International World Wide Web Conference Committee, Perth, Australia (2017)

    Google Scholar 

  23. Reeder, R., Porter, A., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems Paper, Montreal, Canada (2018)

    Google Scholar 

  24. Hoffman, C.: Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program, How-To Geek, 2 Aug 2013. [Online]. Available https://www.howtogeek.com/169139/sandboxes-explained-how-theyre-already-protecting-you-and- how-to-sandbox-any-program/. Accessed 1 Aug 2018

  25. Madrigal, A.: Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, The Atlantic, 1 Mar 2012. [Online]. Available https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/. Accessed 1 Aug 2018

  26. CreditCards: Study: Credit card agreements unreadable to most Americans, CreditCards, 16 Sept 2016. [Online]. Available https://www.creditcards.com/credit-card-news/unreadable-card-agreements-study.php. Accessed 1 Aug 2018

  27. Knight, J.: Add New Functionality to Your Browser with Extensions, Gadget Hacks, 18 Dec 2017. [Online]. Available https://android.gadgethacks.com/how-to/firefox-mobile-101-add-new-functionality-your-browser-with-extensions-0181656/. Accessed 24 July 2018

Download references

Author information

Authors and Affiliations

  1. Fordham Center for Cybersecurity, Fordham University, New York, NY, USA

    Steven Ursell & Thaier Hayajneh

Authors
  1. Steven Ursell
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thaier Hayajneh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven Ursell .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, UK

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ursell, S., Hayajneh, T. (2020). Desktop Browser Extension Security and Privacy Issues. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_59

Download citation

Publish with us

Policies and ethics

Search

Navigation