Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Browser Controls to Protect Cookies from Malicious Extensions (2405.06830v2)

Published 10 May 2024 in cs.CR

Abstract: Cookies maintain state across related web traffic. As such, cookies are commonly used for authentication by storing a user's session ID and replacing the need to re-enter credentials in subsequent traffic. These so-called session cookies'' are prime targets for attacks that aim to steal them to gain unauthorized access to user accounts. To mitigate these attacks, the Secure and HttpOnly cookie attributes limit a cookie's accessibility from malicious networks and websites. However, these controls overlook browser extensions: third-party HTML/JavaScript add-ons with access to privileged browser APIs and the ability to operate across multiple websites. Thus malicious or compromised extensions can provide unrestricted access to a user's session cookies. In this work, we first analyze the prevalence of extensions with access torisky'' APIs (those that enable cookie modification and theft) and find that they have hundreds of millions of users. Motivated by this, we propose a mechanism to protect cookies from malicious extensions by introducing two new cookie attributes: BrowserOnly and Monitored. The BrowserOnly attribute prevents extension access to cookies altogether. While effective, not all cookies can be made inaccessible. Thus cookies with the Monitored attribute remain accessible but are tied to a single browser and any changes made to the cookie are logged. As a result, stolen Monitored cookies are unusable outside their original browser and servers can validate the modifications performed. To demonstrate the proposed functionalities, we design and implement CREAM (Cookie Restrictions for Extension Abuse Mitigation) a modified version of the open-source Chromium browser realizing these controls. Our evaluation indicates that CREAM effectively protects cookies from malicious extensions while incurring little run-time overheads.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (110)
  1. [n. d.]. Express Cookie-Parser. http://expressjs.com/en/resources/middleware/cookie-parser.html
  2. 2024a. CREAM source code. https://github.com/Anonymous642/Cookies_and_CREAM.
  3. 2024b. CREAM’s fork of the Node.js cookie library. https://github.com/Anonymous642/CREAM_node_fork.
  4. Spook. js: Attacking Chrome strict site isolation via speculative execution. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 699–715.
  5. Shubham Agarwal. 2022. Helping or Hindering? How Browser Extensions Undermine Security. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 23–37.
  6. I spy with my little eye: Analysis and detection of spying browser extensions. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 47–61.
  7. V Anupam and A Popov. [n. d.]. The token binding protocol. https://www.ietf.org/proceedings/91/slides/slides-91-uta-2.pdf
  8. awillia. 2021. Cookie size limits. https://chromestatus.com/feature/4946713618939904
  9. Adam Barth. 2011. HTTP State Management Mechanism. RFC 6265. https://doi.org/10.17487/RFC6265
  10. Protecting browsers from extension vulnerabilities. (2010).
  11. The security architecture of the chromium browser. In Technical report. Stanford University.
  12. Nick Berry. 2012. Domain Name Analysis. https://datagenetics.com/blog/march22012/
  13. Origin cookies: Session integrity for web applications. Web 2.0 Security and Privacy (W2SP) (2011).
  14. CookiExt: Patching the browser against session hijacking attacks. Journal of Computer Security 23, 4 (2015), 509–537.
  15. Provably sound browser-based enforcement of web session integrity. In 2014 IEEE 27th Computer Security Foundations Symposium. IEEE, 366–380.
  16. Detection of inconsistencies in privacy practices of browser extensions. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2780–2798.
  17. An empirical study of web cookies. In Proceedings of the 25th international conference on world wide web. 891–901.
  18. Paul Calvano. 2020. An analysis of cookie sizes on the web. https://paulcalvano.com/2020-07-13-an-analysis-of-cookie-sizes-on-the-web/
  19. Surviving the web: A journey into web session security. ACM Computing Surveys (CSUR) 50, 1 (2017), 1–34.
  20. An Evaluation of the Google Chrome Extension Security Architecture.. In USENIX Security Symposium. 97–111.
  21. We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS.. In USENIX Security Symposium. 1079–1093.
  22. Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering information leakage from browser extensions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1687–1700.
  23. MDN Contributors. 2023. Browser extensions. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions
  24. MDN Contributors. 2024a. Cookie Store API. https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API
  25. MDN Contributors. 2024b. DeclarativeNetRequest.modifyheaderinfo. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest/ModifyHeaderInfo
  26. MDN Contributors. 2024c. Document: cookie property. https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie
  27. MDN Contributors. 2024d. Set-Cookie. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
  28. MDN Contributors. 2024e. Using HTTP cookies. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security
  29. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. ACM Transactions on Internet Technology (TOIT) 12, 1 (2012), 1–24.
  30. Serene: Self-reliant client-side protection against session fixation. In Distributed Applications and Interoperable Systems: 12th IFIP WG 6.1 International Conference, DAIS 2012, Stockholm, Sweden, June 13-16, 2012. Proceedings 12. Springer, 59–72.
  31. Malicious browser extensions at scale: Bridging the observability gap between web site and browser. In 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17).
  32. Chromium Developers. 2011. Chromium. https://www.chromium.org/Home/
  33. Chromium Developers. 2012a. Cookies. https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/
  34. Chromium Developers. 2012b. Cross-origin network requests. https://developer.chrome.com/docs/extensions/develop/concepts/network-requests
  35. Chrome Developers. 2012c. Match patterns. https://developer.chrome.com/docs/extensions/develop/concepts/match-patterns
  36. Chrome Developers. 2012d. What are Chrome Apps? https://developer.chrome.com/docs/apps/overview
  37. Chrome Developers. 2012e. What are themes? https://developer.chrome.com/docs/extensions/develop/ui/themes
  38. Chromium Developers. 2017a. Network Service. https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/README.md
  39. Chromium Developers. 2017b. Sandbox. https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md
  40. Chromium Developers. 2020. Cookies. https://chromium.googlesource.com/chromium/src/+/HEAD/net/cookies/README.md#Main-interfaces-for-finding_setting_deleting_and-observing-cookies
  41. Chromium Developers. 2021a. https://www.chromium.org/servicification/
  42. Chrome Developers. 2021b. Chrome Web Store Review process. https://developer.chrome.com/docs/webstore/review-process
  43. Chromium Developers. 2021c. CookieMonster. https://www.chromium.org/developers/design-documents/network-stack/cookiemonster/
  44. Chromium Developers. 2021d. Multi-process Architecture. https://www.chromium.org/developers/design-documents/multi-process-architecture/
  45. Chrome Developers. 2022a. Hello world extension. https://developer.chrome.com/docs/extensions/get-started/tutorial/hello-world
  46. Chromium Developers. 2022b. Process Model and Site Isolation. https://chromium.googlesource.com/chromium/src/+/main/docs/process_model_and_site_isolation.md
  47. Chrome Developers. 2023. Cookies having independent partitioned state (chips). https://developers.google.com/privacy-sandbox/3pcd/chips
  48. Chrome Developers. 2024a. Apps. https://developer.chrome.com/docs/apps
  49. Chrome Developers. 2024b. Chrome Sitemap. https://chrome.google.com/webstore/sitemap
  50. Chrome Developers. 2024c. Chrome Web Store. https://chromewebstore.google.com/
  51. Chromium Developers. 2024d. chrome.cookies. https://developer.chrome.com/docs/extensions/reference/api/cookies
  52. Chrome Developers. 2024e. Chrome.declarativeNetRequest. https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest#description
  53. Chrome Developers. 2024f. Chrome.webRequest. https://developer.chrome.com/docs/extensions/reference/api/webRequest
  54. Chrome Developers. 2024g. Get started. https://developer.chrome.com/docs/extensions/get-started
  55. Chrome Developers. 2024h. Permission warning guidelines. https://developer.chrome.com/docs/extensions/develop/concepts/permission-warnings
  56. Chrome Developers. 2024i. Using Signed Cookies. https://cloud.google.com/cdn/docs/using-signed-cookies
  57. Firefox Developers. 2021e. Process Model. https://firefox-source-docs.mozilla.org/dom/ipc/process_model.html
  58. Firefox Developers. 2022c. Gecko Processes. https://firefox-source-docs.mozilla.org/ipc/processes.html
  59. Firefox Developers. 2024j. https://addons.mozilla.org/en-US/firefox/
  60. Firefox Developers. 2024k. Firefox Sitemap. https://addons.mozilla.org/sitemap.xml
  61. The cookie hunter: Automated black-box auditing for web authentication and authorization flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1953–1970.
  62. Doublex: Statically detecting vulnerable data flows in browser extensions at scale. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1789–1804.
  63. Grammarly. 2024. Grammarly: Ai writing and grammar checker app. https://chromewebstore.google.com/detail/grammarly-ai-writing-and/kbfnbcaeplbcioakkpcpgfkobkghlhen
  64. Trends and lessons from three years fighting malicious extensions. In 24th USENIX Security Symposium (USENIX Security 15). 579–593.
  65. Randell Jesup. 2017. https://mozilla.github.io/firefox-browser-architecture/text/0012-process-isolation-in-firefox.html
  66. Reliable protection against session fixation attacks. In Proceedings of the 2011 ACM Symposium on Applied Computing. 1531–1537.
  67. Hulk: Eliciting malicious behavior in browser extensions. In 23rd USENIX Security Symposium (USENIX Security 14). 641–654.
  68. Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting.. In In Proceedings of the 27th Network and Distributed System Security Symposium (NDSS).
  69. Unleash the simulacrum: shifting browser realities for robust {{\{{Extension-Fingerprinting}}\}} prevention. In 31st USENIX Security Symposium (USENIX Security 22). 735–752.
  70. Understanding users’ knowledge about the privacy and security of browser extensions. In seventeenth symposium on usable privacy and security (SOUPS 2021). 99–118.
  71. Jamila Kaya and Jacob Rickerd. 2020. Security researchers partner with chrome to take down browser extension fraud network affecting millions of users. https://duo.com/labs/research/crxcavator-malvertising-2020
  72. Philipp Kewisch et al. 2024. Add-on policies. https://extensionworkshop.com/documentation/publish/add-on-policies/
  73. Soheil Khodayari and Giancarlo Pellegrino. 2022. The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1590–1607.
  74. Young Min Kim and Byoungyoung Lee. 2023. Extending a hand to attackers: browser privilege escalation attacks via extensions. In 32nd USENIX Security Symposium (USENIX Security 23). 7055–7071.
  75. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing. 330–337.
  76. David Li. 2023. Resuming the transition to manifest V3. https://developer.chrome.com/blog/resuming-the-transition-to-mv3
  77. SOK: On the Analysis of Web Browser Security. arXiv preprint arXiv:2112.15561 (2021).
  78. Matt M. 2011. ec_private_key.h. https://source.chromium.org/chromium/chromium/src/+/main:crypto/ec_private_key.h
  79. Kristian Monsen and Arnar Brigisson. 2024. WICG/dbsc. https://github.com/WICG/dbsc/tree/main
  80. Kev Needham. 2015. The future of developing firefox add-ons. https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/
  81. SessionShield: Lightweight protection against session hijacking. In Engineering Secure Software and Systems: Third International Symposium, ESSoS 2011, Madrid, Spain, February 9-10, 2011. Proceedings 3. Springer, 87–100.
  82. You’ve changed: Detecting malicious browser extensions through their update deltas. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications security. 477–491.
  83. Are chrome extensions compliant with the spirit of least privilege? International Journal of Information Security 21, 6 (2022), 1283–1297.
  84. After you, please: browser extensions order attacks and countermeasures. International Journal of Information Security 19 (2020), 623–638.
  85. The Token Binding Protocol Version 1.0. RFC 8471. https://doi.org/10.17487/RFC8471
  86. Charlie Reis and Alex Moshchuk. 2021. Protecting more with site isolation. https://security.googleblog.com/2021/07/protecting-more-with-site-isolation.html
  87. Site isolation: Process separation for web sites within the browser. (2019).
  88. The Security Lottery: Measuring {{\{{Client-Side}}\}} Web Security Inconsistencies. In 31st USENIX Security Symposium (USENIX Security 22). 2047–2064.
  89. Journey to the center of the cookie ecosystem: Unraveling actors’ roles and relationships. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1990–2004.
  90. Juha-Matti Santala. 2022. Extensions button and how to handle permissions in Manifest V3. https://blog.mozilla.org/addons/2022/11/17/unified-extensions-button-and-how-to-handle-permissions-in-manifest-v3/
  91. The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 724–742.
  92. Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks.. In NDSS.
  93. The dangers of human touch: fingerprinting browser extensions through user actions. In 31st USENIX Security Symposium (USENIX Security 22). 717–733.
  94. Escaping the confines of time: Continuous browser extension fingerprinting through ephemeral modifications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2675–2688.
  95. Dolière Francis Somé. 2019. EmPoWeb: empowering web applications with browser extensions. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 227–245.
  96. Cookie crumbles: breaking and fixing web session integrity. In 32nd USENIX Security Symposium (USENIX Security 23). 5539–5556.
  97. Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web.. In USENIX Security Symposium. 2917–2934.
  98. Brandon Stewart. 2022. Introduction to WebKit. https://docs.webkit.org/Getting%20Started/Introduction.html
  99. Edward Sullivan. 2024. Manifest V3 & Manifest V2 (March 2024 update). https://blog.mozilla.org/addons/2024/03/13/manifest-v3-manifest-v2-march-2024-update/
  100. Fortifying web-based applications automatically. In Proceedings of the 18th ACM conference on Computer and communications security. 615–626.
  101. Bill Toulas. 2023. Fake VPN chrome extensions force-installed 1.5 million times. https://www.bleepingcomputer.com/news/security/fake-vpn-chrome-extensions-force-installed-15-million-times/
  102. WRIT: Web Request Integrity and Attestation against Malicious Browser Extensions. IEEE Transactions on Dependable and Secure Computing (2023).
  103. James Wagner. 2018. Trustworthy chrome extensions, by default. https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html
  104. Webenclave: protect web secrets from browser extensions with software enclave. IEEE Transactions on Dependable and Secure Computing 19, 5 (2021), 3055–3070.
  105. Rob Wu. 2022. Manifest V3 in Firefox: Recap & next steps. https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/
  106. Rob Wu. 2023. https://robwu.nl/crxviewer/
  107. Wulf et al. 2024. Updating your extension. https://extensionworkshop.com/documentation/manage/updating-your-extension/
  108. Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th international conference on world wide web. 1286–1295.
  109. CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2441–2455.
  110. Matt Zeunert. 2021. chrome-extension-list. https://github.com/DebugBear/chrome-extension-list/tree/master
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (2)
  1. Liam Tyler (3 papers)
  2. Ivan De Oliveira Nunes (23 papers)
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets