Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions

TL;DR

This paper analyzes the security threats posed by malicious browser extensions, presenting a comprehensive botnet framework and attack methods across multiple browsers and platforms, highlighting over-privileged capabilities as a key vulnerability.

Contribution

It introduces the first extensive analysis of browser extension-based botnets, categorizes various attacks, and discusses potential countermeasures for these security issues.

Findings

Identified over-privileged extension capabilities as a major security risk.

Developed a comprehensive botnet framework exploiting browser extension vulnerabilities.

Validated attacks across multiple browsers and operating systems.

Abstract

Browser extensions have been established as a common feature present in modern browsers. However, some extension systems risk exposing APIs which are too permissive and cohesive with the browser's internal structure, thus leaving a hole for malicious developers to exploit security critical functionality within the browser itself. In this paper, we raise the awareness of the threats caused by browser extensions by presenting a botnet framework based on malicious extensions installed in the user's browser, and an exhaustive range of attacks that can be launched in this framework. We systematically categorize, describe and implement these attacks against Chrome, Firefox and Firefox-for-Android, and verify experiments on Windows, Linux and Android systems. To the best of our knowledge, this paper presents to date the most comprehensive analysis about the threats of botnet in modern browsers due to the over-privileged capabilities possessed by browser extensions. We also discuss countermeasures to the identified problems.