Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions

Web browsers are attractive targets of attacks, whereby attackers can steal security- and privacy-sensitive data, such as online banking and social network credentials, from users. Thus, browsers adopt the principle of least privilege (PoLP) to minimize damage if compromised, namely, the multiprocess architecture and site isolation. We focus on browser extensions, which are third-party programs that extend the features of modern browsers (Chrome, Firefox, and Safari). The browser also applies PoLP to the extension architecture; that is, two primary extension components are separated, where one component is granted higher privilege, and the other is granted lower privilege. In this paper, we first analyze the security aspect of extensions. The analysis reveals that the current extension architecture imposes strict security requirements on extension developers, which are difficult to satisfy. In particular, 59 vulnerabilities are found in 40 extensions caused by violated requirements, allowing the attacker to perform privilege escalation attacks, including UXSS (universal cross-site scripting) and stealing passwords or cryptocurrencies in the extensions. Alarmingly, extensions are used by more than half and a third of Chrome and Firefox users, respectively. Furthermore, many extensions in which vulnerabilities are found are extremely popular and have more than 10 million users. To address the security limitations of the current extension architecture, we present FISTBUMP, a new extension architecture to strengthen PoLP enforcement. FISTBUMP employs strong process isolation between the webpage and content script; thus, the aforementioned security requirements are satisfied by design, thereby eliminating all the identified vulnerabilities. Moreover, FISTBUMP's design maintains the backward compatibility of the extensions; therefore, the extensions can run with FISTBUMP without modification.