Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Chrome Software The Internet

How Web Apps Can Turn Browser Extensions Into Backdoors (threatpost.com) 34

"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications."

The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

This discussion has been archived. No new comments can be posted.

How Web Apps Can Turn Browser Extensions Into Backdoors

Comments Filter:
  • by Anonymous Coward

    So basically the whole "we're dropping XUL for webextensions. Because...uh...security!" thing from mozilla which crippled all my favourite extensions was pointless.

    • Re:So (Score:5, Insightful)

      by Bob-Bob Hardyoyo ( 4240135 ) on Wednesday January 23, 2019 @09:05PM (#58012378)

      Yep. Anyone with a drop of decent cynicism knows that the goal is to cripple ad blocking and privacy protection and that "security" is just the excuse.

      • by macraig ( 621737 )

        The goal for us is to cripple the cripplers. Having a browser-independent updated HTTPS-ready version of Proxomitron would really help.

      • So you think your free ad blocking extension is above suspicion? That's the dumbest thing I ever heard.
      • by thomn8r ( 635504 )

        Yep. Anyone with a drop of decent cynicism knows that the goal is to cripple ad blocking and privacy protection and that "security" is just the excuse.

        But think of the children!

    • by gl4ss ( 559668 )

      isn't it quite obvious that a web page can communicate with a browser extension though? like really fucking obvious? further than that you could just make the extension exploit the computer directly as long as you're coding it...

  • Everything is supposed to run that way anyway, right? This shouldn't be an issue.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...