# EmPoWeb: Empowering Web Applications with Browser Extensions

**Authors:** Doli\`ere Francis Som\'e

arXiv: 1901.03397 · 2019-01-14

## TL;DR

This paper analyzes how web applications can exploit browser extension communication interfaces to access sensitive user data, revealing significant security and privacy vulnerabilities across major browsers.

## Contribution

It identifies security flaws in extension-web app communication channels and proposes detection tools to help browser vendors mitigate these risks.

## Key findings

- Web applications can access user cookies, history, and bookmarks via extensions.
- Many extensions expose APIs exploitable by web applications for privilege escalation.
- The study provides a tool for detecting and fixing extension-related security issues.

## Abstract

Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, cookies and list of installed extensions. Extensions have a permanent storage in which they can store data and can trigger the download of arbitrary files on the user's device. For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information. In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions' APIS, web applications can bypass SOP, access user cookies, browsing history, bookmarks, list of installed extensions, extensions storage, and download arbitrary files on the user's device. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1901.03397/full.md

## Figures

4 figures with captions in the complete paper: https://tomesphere.com/paper/1901.03397/full.md

## References

78 references — full list in the complete paper: https://tomesphere.com/paper/1901.03397/full.md

---
Source: https://tomesphere.com/paper/1901.03397