Security Experts:

Unpatched Vulnerabilities Impact Popular Browser Extension Systems

Security researchers have discovered two vulnerabilities that impact the extension systems of major browsers, including Chrome, Firefox, Safari, and Opera.

In a paper presented at the USENIX Security Symposium in Canada earlier this month, Iskander Sanchez-Rola and Igor Santos from the University of Deusto and Davide Balzarotti from Eurecom detailed two different flaws that remain unpatched despite being already responsibly disclosed.

Called Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies, the research paper (PDF) claims that security policies used by major browsers to ensure extensions are protected from third party access can be bypassed, thus enabling enumeration attacks against the list of installed extensions.

By enumerating the installed extensions, an attacker could exploit vulnerabilities. Firefox and Chrome have implemented a form of access control over the extension resources, while Safari adopted the randomization of extension URI at runtime. Each of these implementations can be targeted in a different manner, hence the two attack methods the researchers have discovered.

The first issue, a timing side-channel attack, resides in the fact that, when a website tries to load a resource not present in the list of accessible resources, the browser performs two checks before blocking the request: first it verifies if a certain extension is installed, and then it accesses their control settings to determine whether the requested resource is publicly available.

Improper implementation of this two-step validation opens the door to a timing side-channel attack that could allow an attacker to identify whether an extension isn’t available or the requested resource is kept private. An attacker could use JavaScript code to measure and compare the response time when invoking a fake extension and requesting a non-existent resource for an existing extension: similar response times means the extension isn’t present, the paper claims.

The bug affects all versions of Chromium, impacting browsers such as Chrome, Opera, Yandex, and Comodo. Still in early stages of development, Firefox and Microsoft Edge WebExtensions haven’t been included in the group, but the researchers say they are likely vulnerable as well, because they follow the same extension control mechanism as Chromium.

“Surprisingly, non-WebExtensions in Firefox suffer from a different bug that makes even easier to detect the installed extensions. The browser raises an exception if a webpage requests a resource for non-installed extension, but not in the case when the resource path does not exist. […] an attacker can simply encapsulate the invocation in a try-catch block to distinguish between the two execution paths and reliably test for the presence of a given extension,” the researchers explained.

The second vulnerability impacts the URI randomization technique adopted by Safari and can result in the unintentional leakage of the random extension URI, which can then be used by “third-parties to unequivocally identify the user while browsing during the same session.” The issue, the researchers argue, is that the implementation depends on developers to deny third-party access to resources.

“The entire security of the extension access control in Safari relies on the secrecy of the randomly generated token. However, the token is part of the extension URI which is often used by the extensions to reference public resources injected in the page. As a result, we believe that this design choice makes it very easy for developers to unintentionally leak the secret token,” the paper reads.

The attacks can be leveraged to perform accurate browser fingerprinting, to check for built-in extensions, and to determine users’ demographics, but can also be used for malicious purposes. An attacker searching for specific extensions can narrow their attack surface or can personalize their exploit kit to serve a specific payload, the researchers argue.

“We responsibly disclosed all our findings and we are now discussing with the developers of several browsers and extensions to propose the correct countermeasures to mitigate these attacks in both current and future versions,” the researchers conclude.

“Internet browsers have to be updated to fix this vulnerability. In the meantime, users can defend against these types of attacks, which consist of bogus requests to APIs, by blocking these requests using a firewall or other application level access control devices.” Ajay Uggirala, director of product marketing at Imperva, told SecurityWeek in an emailed statement.

“As we use more and more APIs, it is important for companies to make sure all their APIs and the requests to them are secured. With many APIs that are exposed, it is best to deploy API security gateways or Application firewalls that can process requests to APIs. This is to ensure that whenever there are unsolicited or brute force API requests, they can be blocked before giving back any information to that malicious request,” Uggirala concluded.

Related: Hijacked Extensions Put 4.7 Million Chrome Users at Risk

Related: Google Tightens Security Rules for Chrome Extensions

view counter