Name
Abstract | ||
|---|---|---|
A large number of extensions exist in browser vendors' online stores for millions of users to download and use. Many of those extensions process sensitive information from user inputs and webpages; however, it remains a big question whether those extensions may accidentally leak such sensitive information out of the browsers without protection. In this paper, we present a framework, LvDetector, that combines static and dynamic program analysis techniques for automatic detection of information leakage vulnerabilities in legitimate browser extensions. Extension developers can use LvDetector to locate and fix the vulnerabilities in their code; browser vendors can use LvDetector to decide whether the corresponding extensions can be hosted in their online stores; advanced users can also use LvDetector to determine if certain extensions are safe to use. The design of LvDetector is not bound to specific browsers or JavaScript engines, and can adopt other program analysis techniques. We implemented LvDetector and evaluated it on 28 popular Firefox and Google Chrome extensions. LvDetector identified 18 previously unknown information leakage vulnerabilities in 13 extensions with a 87% accuracy rate. The evaluation results and the feedback to our responsible disclosure demonstrate that LvDetector is useful and effective. |
Year | DOI | Venue |
|---|---|---|
2015 | 10.1145/2736277.2741134 | WWW |
Keywords | Field | DocType |
Web browser extension, JavaScript, Vulnerability analysis | World Wide Web,Information leakage,Web page,Computer security,Computer science,Vulnerability assessment,Responsible disclosure,Program analysis,Information sensitivity,Dynamic program analysis,JavaScript | Conference |
Citations | PageRank | References |
3 | 0.42 | 32 |
Authors | ||
3 | ||