A Security Analysis of Browser Extensions

Abstract: Browser Extensions (often called plugins or addons) are small pieces of code that let developers add additional functionality to the browser. However, with extensions comes a security price: the user must trust the developer. We look at ways in which this trust can be broken and malicious extensions installed. We also look at silent installations of plugins in various browsers and work on ways to make silent installations possible in browsers that work against it. We compare the browser extension mechanism among various browsers, and try to create a set of rules to maintain the principle of least privileges in the browser. We track various plugins and determine whether the least privileges required match with the privileges asked for. We also work on a survey of extensions (for various browsers) and determine the nature of attacks possible. For eg, if a developer account gets hacked, updating of a normal extension with a malicious one is possible. We look at privilege abuse and survey extensions that ask for more privileges than they use. We finally provide a solution and allow a person to check the authenticity of the extension even before they download it.