Since extension hijacking can be troublesome to detect and manage, researchers have presented a new solution. Dubbed ‘DoubleX’, researchers have devised a static analyzer tool to identify rogue browser extensions.
DoubleX Static Analyzer To Detect ‘Ill’ Browser Extension
Researchers from CISPA Helmholtz Center for Information Security, Germany, have shared details about the DoubleX analyzer tool to detect hijacked browsers extensions.
As elaborated in their detailed research paper, this tool works by analyzing communications between extensions and web pages. Despite the two being isolated, the researchers explain that the two entities can communicate. Hence, any vulnerabilities in browser extensions allow the adversaries to takeover otherwise legit browser extensions. This strategy enables them to escape security checks and provides a greater attack surface and target victim list.
That’s where DoubleX plays a role in spotting such vulnerable extensions. Regarding how the tool works, the paper reads,
DoubleX defines an Extension Dependence Graph (EDG), which abstracts extension code with control and data flows, pointer analysis, and models the message interactions within and outside of an extension. This way, we can leverage this graph to track and detect suspicious data flows between external actors and sensitive APIs in browser extensions.
In their study, the researchers analyzed 154,484 Chrome extensions and spotted 278 of them exhibiting “suspicious data flow”. Furthermore, they observed that adversaries could abuse such extensions for malicious purposes, which they demonstrated with 184 extensions.
The DoubleX extension analyzer tool is available as open-source on GitHub, from where interested users can download the tool for testing. It can easily work for Chrome, Firefox, and other Chromium-based browser extensions.
Although, the tool currently exhibits some limitations, such as it may miss vulnerabilities due to dynamic code generation. Nonetheless, the functionalities it bears can still help tech giants vet vulnerable extensions in stores.
Let us know your thoughts in the comments.