Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser...
Transcript of Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser...
![Page 1: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/1.jpg)
Ex-Ray: Detection of History-LeakingBrowser Extensions
Michael Weissbacher Northeastern University
Joint work with: Enrico Mariconti, Guillermo Suarez-Tangil,
Gianluca Stringhini, William Robertson, Engin Kirda
![Page 2: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/2.jpg)
What are Browser Extensions? ●Additions to browser core functionality
●Powerful application access based on permissions
○ Modification of active pages
○ Modification of requests / responses
○ Often access to all visited pages
○ Access to cookies
○ Access to previous history
![Page 3: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/3.jpg)
- Google Chrome C )(
D about:blank x
~ C (D about:blank
What are Browser Extensions?
![Page 4: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/4.jpg)
'"' ~-",,.!:~<,:;:- "" ~.... '""
'""'°'-o l!!R!!II ~
:.."'!:'";~~ ~:::·:;:-'-'-·(11
![Page 5: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/5.jpg)
Privacy Implications of Browser Extensions ●Permission system inadequate to contain history leaks ●Only modest permissions required to leak complete browsing history ●Collection sometimes mentioned in terms of service ●User expectation might not align with actual behavior ●Automatic updates of extensions can lead to future leaking behavior ●No unified way of detection or indication for users
![Page 6: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/6.jpg)
Comparison Web Tracking and Extension Tracking
On Websites: – Opt-in: Website owner – Opt-out: Ad blockers or Tracker blockers
In Extensions: – (typically) all websites – Implicit Opt-in through installation – No opt-out
![Page 7: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/7.jpg)
Motivation: Manual Analysis ●One library used across unrelated extensions to leak history
●42 extensions
●8M active users
●Findings documented in blog post
●Google deleted all extensions within 24 hours
●No change in policy
![Page 8: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/8.jpg)
HoneyPot Probe: Overview ●Extensions run in isolation
●Use URLs unique to extension
●Browsing our website...
●... which is also available on the public Internet
●Monitor for incoming connections
![Page 9: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/9.jpg)
• Execut ed I l I X Contacted .... ;J; . .... .-, I I I 30 • • , •• ID()()( ~
% ~; I I ~ 25 0 V) I I • • ••• >«• C I I I • •••• • 2 20 X
::-!r. lt"'" • Q)
Q) I I e eclC9C 'a E 15 • e II ••••x • ..c ;- ;-t 1 I I u 10 tc X f xj I xLI
• }·:·· 5 ac,cxx X • -- -0 llaDO(
2016-11 2016-12 2017-01 2017-02 2017-03 2017-04 2017-05 2017-06
35
HoneyPot Probe
![Page 10: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/10.jpg)
HoneyPot Probe: Results
●Connections prove use of data: data is being acted on ●> 3M active users for these extensions ●Connection often immediately after execution ●Lower bound of leaks ●Indicators for collaboration ●Motivation for automated detection system
![Page 11: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/11.jpg)
Ex-Ray: Overview ●System for automated detection of history leaks ●Goal: Robust Detection ● Method of data collection ● Traffic obfuscation / encryption ●Two complementary automated detection systems ●Additional triage system to assist analysts ●Based on Traffic analysis and browser instrumentation ●Analyzed extensions with more than 1,000 users(10,000+ extensions)
![Page 12: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/12.jpg)
.06
6 1.04
"' ~ 5 >, .0
"' ~ 1 .02 >, .0 ..,
C: I Cl)
"' c Qj
"' "O "O 1 .00 - -Cl) Qj
.!::! .!::! 11)
0 E 0 3
z
0 2
I II 11' E 0 0 .98 z
0.96
...L ...L
Two Three Four 0 .94
Two Three Four
(a) Tracking extension. (b) Benign extensions.
Ex-Ray: Methodology
●Counterfactual analysis ●Based on properties oftracking behavior ●Modifications to historylead to modified network behavior ●Sent data increases as a function of history size
1
![Page 13: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/13.jpg)
Findings ●10M+ active users were leaking their history ●10,691 extensions analyzed ●212 extensions flagged by Ex-Ray (28 wrongly identified - False Detection Rate: 0.27%) ●Two novel ways of leakage detected
![Page 14: Ex-Ray: Detection of History-Leaking Browser Extensions · Based on Traffic analysis and browser instrumentation ... Sent data increases as a function of history size . 1 . ... Conclusion](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9df03a75863f281c7a7e6f/html5/thumbnails/14.jpg)
Conclusion
●History leaks through browser extensions widespread ●Extension stores do not scan for history leaks ●Robust leak detection possible ●Possible remediation
○ Integration of leak detection into extension stores ○ Users should uninstall unused extensions
https://mweissbacher.com/blog/2017/10/05/ex-ray-finding-browser-extensions-that-spy-on-your-browsing-habits/