Connect with us

Hi, what are you looking for?


Endpoint Security

Unpatched Vulnerabilities Impact Popular Browser Extension Systems

Security researchers have discovered two vulnerabilities that impact the extension systems of major browsers, including Chrome, Firefox, Safari, and Opera.

Security researchers have discovered two vulnerabilities that impact the extension systems of major browsers, including Chrome, Firefox, Safari, and Opera.

In a paper presented at the USENIX Security Symposium in Canada earlier this month, Iskander Sanchez-Rola and Igor Santos from the University of Deusto and Davide Balzarotti from Eurecom detailed two different flaws that remain unpatched despite being already responsibly disclosed.

Called Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies, the research paper (PDF) claims that security policies used by major browsers to ensure extensions are protected from third party access can be bypassed, thus enabling enumeration attacks against the list of installed extensions.

By enumerating the installed extensions, an attacker could exploit vulnerabilities. Firefox and Chrome have implemented a form of access control over the extension resources, while Safari adopted the randomization of extension URI at runtime. Each of these implementations can be targeted in a different manner, hence the two attack methods the researchers have discovered.

The first issue, a timing side-channel attack, resides in the fact that, when a website tries to load a resource not present in the list of accessible resources, the browser performs two checks before blocking the request: first it verifies if a certain extension is installed, and then it accesses their control settings to determine whether the requested resource is publicly available.

Improper implementation of this two-step validation opens the door to a timing side-channel attack that could allow an attacker to identify whether an extension isn’t available or the requested resource is kept private. An attacker could use JavaScript code to measure and compare the response time when invoking a fake extension and requesting a non-existent resource for an existing extension: similar response times means the extension isn’t present, the paper claims.

The bug affects all versions of Chromium, impacting browsers such as Chrome, Opera, Yandex, and Comodo. Still in early stages of development, Firefox and Microsoft Edge WebExtensions haven’t been included in the group, but the researchers say they are likely vulnerable as well, because they follow the same extension control mechanism as Chromium.

Advertisement. Scroll to continue reading.

“Surprisingly, non-WebExtensions in Firefox suffer from a different bug that makes even easier to detect the installed extensions. The browser raises an exception if a webpage requests a resource for non-installed extension, but not in the case when the resource path does not exist. […] an attacker can simply encapsulate the invocation in a try-catch block to distinguish between the two execution paths and reliably test for the presence of a given extension,” the researchers explained.

The second vulnerability impacts the URI randomization technique adopted by Safari and can result in the unintentional leakage of the random extension URI, which can then be used by “third-parties to unequivocally identify the user while browsing during the same session.” The issue, the researchers argue, is that the implementation depends on developers to deny third-party access to resources.

“The entire security of the extension access control in Safari relies on the secrecy of the randomly generated token. However, the token is part of the extension URI which is often used by the extensions to reference public resources injected in the page. As a result, we believe that this design choice makes it very easy for developers to unintentionally leak the secret token,” the paper reads.

The attacks can be leveraged to perform accurate browser fingerprinting, to check for built-in extensions, and to determine users’ demographics, but can also be used for malicious purposes. An attacker searching for specific extensions can narrow their attack surface or can personalize their exploit kit to serve a specific payload, the researchers argue.

“We responsibly disclosed all our findings and we are now discussing with the developers of several browsers and extensions to propose the correct countermeasures to mitigate these attacks in both current and future versions,” the researchers conclude.

“Internet browsers have to be updated to fix this vulnerability. In the meantime, users can defend against these types of attacks, which consist of bogus requests to APIs, by blocking these requests using a firewall or other application level access control devices.” Ajay Uggirala, director of product marketing at Imperva, told SecurityWeek in an emailed statement.

“As we use more and more APIs, it is important for companies to make sure all their APIs and the requests to them are secured. With many APIs that are exposed, it is best to deploy API security gateways or Application firewalls that can process requests to APIs. This is to ensure that whenever there are unsolicited or brute force API requests, they can be blocked before giving back any information to that malicious request,” Uggirala concluded.

Related: Hijacked Extensions Put 4.7 Million Chrome Users at Risk

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.