skip to Main Content

Browser extensions-web applications communication pose cyber security and privacy threats

The research “EmPoWeb: Empowering Web Applications with Browser Extensions” discovers that communications between browser extensions and web applications pose serious cyber security and privacy threats

The communications between browser extensions and web applications pose serious cyber security and privacy threats. It has been discovered by Dolière Francis Somé of the Université Côte d’Azur. He published the research “EmPoWeb: Empowering Web Applications with Browser Extensions” which analyses deeper-level APIs. Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities, explains the abstract of the study. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, credentials (cookies) and list of installed extensions. They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.

Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information

For cyber security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information, underlines the research. “We analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions’ APIS, web applications can bypass SOP and access user data on any other web application, access user credentials (cookies), browsing history, bookmarks, list of installed extensions, extensions storage, and download and save arbitrary files in the user’s device”.

Back To Top