Least Privilege for Browser Extensions

Browser extensions let developers add extra functionality to the browser. Although this enables popular new features, extensions threaten browser security because they are written by unknown third-party developers. An extension could be directly malicious, or a well-intentioned developer could write buggy code that leaks privileges to a malicious web site operator. This thesis advocates the development of an extension system that limits extensions’ privileges to the fewest privileges possible without crippling legitimate functionality. We motivate the reduction of extension privileges with a study of 25 Mozilla Firefox extensions. Currently, Firefox extensions have unrestricted access to browser privileges: extensions can delete files from the hard drive and launch processes. Our study shows that 88% of the studied extensions do not require the most powerful privileges. We consider how the Firefox extension system could be changed to reduce extension privileges and remove the privilege gap. We then examine the new Google Chrome extension system, which supports restrictions on extensions as recommended by this work. We test the performance of their security mechanisms and study 25 popular Google Chrome extensions to see whether they are appropriately privileged.