An Empirical Study of Dangerous Behaviors in Firefox Extensions

  • Jiangang Wang
  • Xiaohong Li
  • Xuhui Liu
  • Xinshu Dong
  • Junjie Wang
  • Zhenkai Liang
  • Zhiyong Feng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


Browser extensions provide additional functionality and customization to browsers. To support such functionality, extensions interact with browsers through a set of APIs of different privilege levels. As shown in previous studies, browser extensions are often granted more privileges than necessary. Extensions can directly threaten the host system as well as web applications, or bring in indirect threats to web sessions by injecting contents into web pages. In this paper, we make an empirical study to analyze extension behaviors, especially the behaviors that affect web sessions. We developed a dynamic technique to track the behaviors of injected scripts and analyzed the impact of these scripts. We analyzed the behaviors of 2465 extensions and discussed their security implications. We also proposed a solution to mitigate indirect threats to web sessions.


Direct Threat Dangerous Behavior Extension Framework Extension Behavior Password Manager 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4, 179–195 (2008)CrossRefGoogle Scholar
  2. 2.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed System Security Symposium (2010)Google Scholar
  4. 4.
    Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: Proceeding of the Network and Distributed System Security Symposium, NDSS 2012 (2012)Google Scholar
  5. 5.
  6. 6.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: Proceedings of the 19th USENIX Conference on Security, Berkeley, CA, USA, p. 22 (2010)Google Scholar
  7. 7.
    Mozilla add-ons,
  8. 8.
  9. 9.
  10. 10.
    htmlcxx - HTML and CSS APIs for C++,
  11. 11.
    libcurl - the multiprotocol file transfer library,
  12. 12.
  13. 13.
    Severity guidelines for security issues,
  14. 14.
  15. 15.
    Martin Jr., D.M., Smith, R.M., Brittain, M., Fetch, I., Wu, H.: The privacy practices of web browser extensions. Communications of the ACM (2001)Google Scholar
  16. 16.
    Felt, A.P.: A survey of firefox extension API use. Technical report, University of California at Berkeley (2009)Google Scholar
  17. 17.
    Karim, R., Dhawan, M., Ganapathy, V., Shan, C.-C.: An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Computer Security Applications Conference, ACSAC (2009)Google Scholar
  19. 19.
    Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 23. USENIX Association, Berkeley (2010)Google Scholar
  20. 20.
    Li, Z., Wang, X.-F., Choi, J.Y.: SpyShield: Preserving Privacy from Spy Add-Ons. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 296–316. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Guarnieri, S., Livshits, B.: Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In: USENIX Security Symposium (2009)Google Scholar
  22. 22.
    Selenium web application testing system,
  23. 23.
    Watir automated webbrowsers,
  24. 24.
    Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jiangang Wang
    • 1
  • Xiaohong Li
    • 1
  • Xuhui Liu
    • 2
  • Xinshu Dong
    • 2
  • Junjie Wang
    • 1
  • Zhenkai Liang
    • 2
  • Zhiyong Feng
    • 1
  1. 1.Department of Computer ScienceTianjin UniversityChina
  2. 2.School of ComputingNational University of SingaporeSingapore

Personalised recommendations