Escaping the Confines of Time

Σολωμός, Κωνσταντίνος; Ilia, Panagiotis; Nikiforakis, Nick; Polakis, Jason

doi:10.1145/3548606.3560576

Cited by 4 publications

(1 citation statement)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, they revealed that about 67% of extensions triggered by mouse or keyboard events could be detected through artificial user actions. Additionally, Solomos et al [45] proposed continuous fingerprinting, a technique capable of capturing transient modifications made by extensions, previously undetectable due to their ephemeral nature. This technique substantially increases the coverage of extensions detectable through their DOM modifications.…”

Section: Extension Detectionmentioning

confidence: 99%

From Manifest V2 to V3: A Study on the Discoverability of Chrome Extensions

Bucci,

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Browser extensions allow users to customise and improve their web browsing experience. The Manifest protocol was introduced to mitigate the risk of accidental vulnerabilities in extensions, introduced by inexperienced developers. In Manifest V2, the introduction of webaccessible resources (WARs) limited the exposure of extension files to web pages, thereby reducing the potential for exploitation by malicious actors, which was a significant risk in the previous unrestricted access model. Building on this, Manifest V3 coupled WARs with match patterns, allowing extension developers to precisely define which websites can interact with their extensions, thereby limiting unintended exposures and reducing potential privacy risks associated with websites detecting user-installed extensions. In this paper, we investigate the impact of Manifest V3 on WAR-enabled extension discovery by providing an empirical study of the Chrome Web Store. We collected and analysed 108,416 extensions and found that Manifest V3 produces a relative reduction in WAR detectability ranging between 4% and 10%, with popular extensions exhibiting a higher impact. Additionally, our study revealed that 30.78% of extensions already transitioned to Manifest V3. Finally, we implemented X-Probe, a live demonstrator showcasing WAR-enabled discovery. Our evaluation shows that our demonstrator can detect 22.74% of Manifest V2 and 18.3% of Manifest V3 extensions. Moreover, within the 1000 most popular extensions, the detection rates rise to a substantial 58.07% and 47.61%, respectively. In conclusion, our research shows that developers commonly associate broad match patterns to their WARs either because of poor security practices, or due to the inherent functional requirements of their extensions.

show abstract

Section: Extension Detectionmentioning

confidence: 99%