After you, please: browser extensions order attacks and countermeasures

Picazo-Sanchez, Pablo; Tapiador, Juan E.; Schneider, Gerardo

doi:10.1007/s10207-019-00481-8

Cited by 10 publications

(2 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent works [269] demonstrates empirically that this order could be exploited by an unprivileged malicious extension (i.e., one with no more permissions than those already assigned when accessing web content) to get access to any private information that other extensions have previously introduced. To the best of our knowledge, there still is no solution to this problem.…”

Section: Browser Extensionsmentioning

confidence: 99%

A survey of challenges for runtime verification from advanced application domains (beyond software)

Sánchez

Schneider

Ahrendt

et al. 2019

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

Runtime verification is an area of formal methods that studies the dynamic analysis of execution traces against formal specifications. Typically, the two main activities in runtime verification efforts are the process of creating monitors from specifications, and the algorithms for the evaluation of traces against the generated monitors. Other activities involve the instrumentation of the system to generate the trace and the communication between the system under analysis and the monitor.Most of the applications in runtime verification have been focused on the dynamic analysis of software, even though there are many more potential applications to other computational devices and target systems. In this paper we present a collection of challenges for runtime verification extracted from concrete application domains, focusing on the difficulties that must be overcome to tackle these specific challenges. The computational models that characterize these domains require to devise new techniques beyond the current state of the art in runtime verification.

show abstract

Section: Browser Extensionsmentioning

confidence: 99%

A survey of challenges for runtime verification from advanced application domains (beyond software)

Sánchez

Schneider

Ahrendt

et al. 2019

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

show abstract

“…As much as it helps to discover the characteristics of every extension separately, it does not provide a view on the sideeffects of communication-channel and potential collusion that may exist between multiple extensions installed at the client. Picazo-Sanchez et al [28] further showed that the browser decides the execution order of each extension based on their registered event listeners and installation timestamp, which may cause unintended security issues at the client. Since it is infeasible to analyze the collusion pattern among every combination of extensions, we aim to identify those that are externally-connectable and clusters based on their functionalities and installations to detect any potential collusion pattern arising from the union of their respective privileges.…”

Section: Improvements and Future Workmentioning

confidence: 99%

First, Do No Harm: Studying the manipulation of security headers in browser extensions

Agarwal¹,

Stock²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

We recently noticed a critical error with our measurement method. The problem originates from server-side randomness (that sometimes omits headers on a follow-up request) as well as a race condition in CDP/browser extensions. This leads to an unknown (yet likely quite high) number of false positives we report in the paper. See our blog post for details. Overall, since retroactively fixing the numbers is infeasible, the number of extensions reported in the paper must not be assumed to be correct. The following is the final version as was presented at the workshop. We leave it up nevertheless to allow others to better understand the technical aspects of our work, and to avoid they make similar mistakes.

show abstract