AUTOMATED DETECTION OF FIREFOX EXTENSION-REUSE VULNERABILITIES presented at BlackHatAsia 2016

by William Robertson, Ahmet Buyukkayhan,

Summary : Major web browsers provide extension mechanisms that allow third parties to modify the browser's behavior, enhance its functionality and GUI, and integrate it with popular web services. Extensions can often access private browsing information such as cookies, history, password stores and sensitive system resources. Consequently, malicious extensions, or attacks directed at legitimate vulnerable extensions, pose a significant security risk to users. The research community presented studies and tools that analyze the security properties of extensions and proposed various defenses against these threats. However, the possible interactions between multiple browser extensions have not been well-studied from a security perspective.
In this presentation, we identify a novel extension-reuse vulnerability that allows adversaries to launch stealthy attacks against users. This attack uses the existing functionality from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself. We then present CROSSFIRE, a lightweight static analyzer for Firefox legacy extensions to automatically discover instances of extension-reuse vulnerabilities, generate exploits that confirm the presence of vulnerabilities, and output exploit templates to assist users of the tool in rapidly constructing proof-of-concept exploits. We analyzed 2,000 Firefox extensions with CrossFire and found that popular extensions, downloaded by millions of users, contain numerous exploitable extension-reuse vulnerabilities. We also performed a case study to show that malicious extensions exploiting extension-reuse vulnerabilities are indeed effective at cloaking themselves from extension vetters.