Researchers from Deusto and Eurecom will present how they have subverted the Extension Resources Control of every existent Browser and its Implications at the flagship Usenix Security Conference

The paper “Extension Breakdown: Security Analysis of Browsers Extension Resources Policies” by Iskander Sanchez-Rola (DeustoTech), Igor Santos (DeustoTech), and Davide Balzarotti (Eurecom) has been accepted in the prestigious top-tier conference Usenix Security (Sec). This venue is part of the top-4 security conferences, the most important and the best system security research conferences. This year, only 85 papers were accepted out of 522 submissions.

In their paper, they have analyzed the resources control policies and processes of the current browsers, that are supposed to avoid non-legit accesses and attacks. From the two different control methods that exist: Access Control and URI randomization, the researchers have found several design flaws and vulnerabilities. By exploiting them, they have been capable to enumerate the 100% of the extensions in the case of access control and an estimation of 40% of extensions in the case of randomization.

To bypass the access control, the authors have noticed the tiny time differences when trying to access an installed extension and when the extension is not installed. Due to the internal implementation for registering installed extensions, it is possible to measure the difference and determine whether or not a user has a specific extension installed, allowing a complete enumeration of the 100% of the existing extensions. In the case of randomization, the authors have focused in the extension development and whether the developers may be leaking this random part. They have designed a method for identify this leakage, leading to a 40% enumeration of this kind of extensions.

This enumeration attacks allow more dangerous ones, such content personalization to trick the user, targeted malware based on the installed components, exploit vulnerable extensions, or fingerprinting the user.

The authors have responsibly disclosed their findings to the developers of the major browser families with access control (Chrome, Firefox and Edge) and also they have communicated the leakage to the Safari Extension developers, providing a possible solution in each case. Right now, they are working to solve these problems.

Needless to say, this is yet another important milestone by the Information and System Security research group in DeustoTech that proves that its work is at the same top level as the most important scientific groups in the world.