Extension APIs Can Steal Browser Data Through Malicious Websites

  • 142
  •  
  •  
  • 1
  •  
  •  
  •  
    143
    Shares

All of the big web browsers such as Chrome, Firefox and Opera, use extension APIs. They are developed to give the user greater browsing experience plus functionality not found on native browsers. However, a recent academic paper has highlighted possible flaws in these APIs.

Malicious Websites

One way that malicious websites can use extension APIs is by executing code within the browser. This code then enables the originator to steal sensitive information. Bookmarks, browsing history and even cookies can be accessed and leave the user vulnerable.

Online attackers can also use these extensions to hijack a users login sessions. This will enable them to gain access to sensitive data including emails, and social media profiles.

New Research

Access to users data via extension API’s was thought to be theoretical. However, an academic paper published by Dolière Francis Som­é found some anomalies. The paper was written by Som­é while conducting research at the Université Cote d’Azure and with the help of INRIA, a French research institute.

Som­é has created a tool that has tested over 78,000 extensions. He concentrated on the most popular including Chrome, Firefox and Opera.

Worrying Findings

Following his testing, Som­é identified 197 extensions that exposed API communication interfaces. This would allow malicious websites access to data stored on the user’s web browser. Som­é said the findings were surprising because only 15 of the extensions were developer tools. These extensions often have full control over the browser and would be easy to exploit.

Of the 197 extensions found, fewer than 55 percent had over 1,000 installs. However, 15 percent had installs totalling over 10,000.

Notifying Browser Vendors

Som­é has notified the browser vendors prior to going public with his findings. All of the vendors acknowledged the issues and stated they are taking action on those identified.

Both Opera and Firefox have removed all of the reported extensions. Chrome, on the other hand, is still in discussions about potential action including removal or fixing of the APIs.

Som­é has also created a tool that lets users test their extensions. Anyone can use the web-based tool by copying and pasting the extensions manifest.json file into it.

The tool can be found HERE

 

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!