Automatic detection of information leakage vulnerabilities in browser extensions

Rui Zhao, Chuan Yue, Qing Yi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Scopus citations

Abstract

A large number of extensions exist in browser vendors' on-line stores for millions of users to download and use. Many of those extensions process sensitive information from user inputs and webpages; however, it remains a big question whether those extensions may accidentally leak such sensi-tive information out of the browsers without protection. In this paper, we present a framework, LvDetector, that com-bines static and dynamic program analysis techniques for automatic detection of information leakage vulnerabilities in legitimate browser extensions. Extension developers can use LvDetector to locate and fix the vulnerabilities in their code; browser vendors can use LvDetector to decide whether the corresponding extensions can be hosted in their online stores; advanced users can also use LvDetector to determine if certain extensions are safe to use. The design of LvDetec-tor is not bound to specific browsers or JavaScript engines, and can adopt other program analysis techniques. We im-plemented LvDetector and evaluated it on 28 popular Fire-fox and Google Chrome extensions. LvDetector identified 18 previously unknown information leakage vulnerabilities in 13 extensions with a 87% accuracy rate. The evalua-tion results and the feedback to our responsible disclosure demonstrate that LvDetector is useful and effective.

Original languageEnglish (US)
Title of host publicationWWW 2015 - Proceedings of the 24th International Conference on World Wide Web
PublisherAssociation for Computing Machinery, Inc
Pages1384-1394
Number of pages11
ISBN (Electronic)9781450334693
DOIs
StatePublished - May 18 2015
Externally publishedYes
Event24th International Conference on World Wide Web, WWW 2015 - Florence, Italy
Duration: May 18 2015May 22 2015

Publication series

NameWWW 2015 - Proceedings of the 24th International Conference on World Wide Web

Conference

Conference24th International Conference on World Wide Web, WWW 2015
CountryItaly
CityFlorence
Period5/18/155/22/15

Keywords

  • JavaScript
  • Vulnerability analysis
  • Web browser extension

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Fingerprint Dive into the research topics of 'Automatic detection of information leakage vulnerabilities in browser extensions'. Together they form a unique fingerprint.

Cite this