research-article

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat

Authors:

Oleksii Starov,

Pierre Laperdrix,

Alexandros Kapravelos,

Nick NikiforakisAuthors Info & Claims

WWW '19: The World Wide Web Conference

Pages 3244 - 3250

https://doi.org/10.1145/3308558.3313458

Published: 13 May 2019 Publication History

Abstract

In this paper, we investigate to what extent the page modifications that make browser extensions fingerprintable are necessary for their operation. We characterize page modifications that are completely unnecessary for the extension's functionality as extension bloat. By analyzing 58,034 extensions from the Google Chrome store, we discovered that 5.7% of them were unnecessarily identifiable because of extension bloat. To protect users against unnecessary extension fingerprinting due to bloat, we describe the design and implementation of an in-browser mechanism that provides coarse-grained access control for extensions on all websites. The proposed mechanism and its built-in policies, does not only protect users from fingerprinting, but also offers additional protection against malicious extensions exfiltrating user data from sensitive websites.

References

[1]

2018. AdBlock - Chrome Web Store. https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom.

[2]

2018. Extension Settings Full Description | The Chromium Projects. https://www.chromium.org/administrators/policy-list-3/extension-settings-full.

[3]

2018. Google Keep Chrome Extension - Chrome Web Store. https://chrome.google.com/webstore/detail/google-keep-chrome-extens/lpcaedmchfhocbbapmcbpinfpgnhiddi.

[4]

2018. Grammarly for Chrome - Chrome Web Store. https://chrome.google.com/webstore/detail/grammarly-for-chrome/kbfnbcaeplbcioakkpcpgfkobkghlhen.

[5]

2018. Honey - Chrome Web Store. https://chrome.google.com/webstore/detail/honey/bmnlcjabgnpnenekpadlanbbkooimhnj.

[6]

2018. LastPass: Free Password Manager - Chrome Web Store. https://chrome.google.com/webstore/detail/lastpass-free-password-ma/hdokiejnpimakedhajhdlcegeplioahd.

[7]

Lawrence Abrams. 2018. MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency. https://www.bleepingcomputer.com/news/security/mega-chrome-extension-hacked-to-steal-login-credentials-and-cryptocurrency/.

[8]

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS).

Digital Library

[9]

Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[10]

Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[11]

Peter Eckersley. 2010. How Unique Is Your Browser?. In Proceedings of the Privacy Enhancing Technologies Symposium (PETS).

Digital Library

[12]

David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Financial Cryptography and Data Security. Springer, 107-124.

[13]

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Proceedings of the World Wide Web Conference (WWW).

Digital Library

[14]

Gabor Gyorgy Gulyas, Doliere Francis Some, Nataliia Bielova, and Claude Castelluccia. 2018. To Extend or Not to Extend: On the Uniqueness of Browser Extensions and Web Logins. In Proceedings of the 2018 Workshop on Privacy in the Electronic Society(WPES'18).

Digital Library

[15]

Alexandros Kapravelos, Chris Grier, Neha Chachra, Chris Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In Proceedings of USENIX Security Symposium.

Digital Library

[16]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy.

[17]

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[18]

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In Proceedings of USENIX Security Symposium.

Digital Library

[19]

Alexander Sjösten, Steven Van Acker, Pablo Picazo-Sanchez, and Andrei Sabelfeld. 2019. LATEX GLOVES: Protecting Browser Extensions from Probing and Revelation Attacks. In Network and Distributed System Security Symposium (NDSS).

[20]

Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering Browser Extensions via Web Accessible Resources. In Proceedings of the ACM on Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[21]

Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering browser extensions via web accessible resources. In Proceedings of the ACM on Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[22]

Oleksii Starov and Nick Nikiforakis. 2017. Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions. In Proceedings of the International Conference on World Wide Web (WWW).

Digital Library

[23]

Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In Proceedings of the IEEE Symposium on Security and Privacy.

[24]

James Wagner. 2018. Trustworthy Chrome Extensions, by Default. https://security.googleblog.com/2018/10/trustworthy-chrome-extensions-by-default.html.

[25]

Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, and Engin Kirda. 2017. Ex-Ray: Detection of History-Leaking Browser Extensions. In Proceedings of the ACM Annual Computer Security Applications Conference (ACSAC).

Digital Library

Cited By

Olsson EEriksson BPicazo-Sanchez PAndersson LSabelfeld AQuek TGao DZhou JCardenas A(2024)FakeX: A Framework for Detecting Fake Reviews of Browser ExtensionsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3656999(769-784)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3656999
Kim BMirza SPöpper CKnijnenburg BPapadimitratos P(2023)Extending Browser Extension Fingerprinting to Mobile DevicesProceedings of the 22nd Workshop on Privacy in the Electronic Society10.1145/3603216.3624955(141-146)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3603216.3624955
Lin XAraujo FTaylor TJang JPolakis J(2023)Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179437(987-1004)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179437
Show More Cited By

Recommendations

Discovering Browser Extensions via Web Accessible Resources
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding ...
Effective detection of vulnerable and malicious browser extensions

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security ...
Protecting Web Browser Extensions from JavaScript Injection Attacks
ICECCS '13: Proceedings of the 2013 18th International Conference on Engineering of Complex Computer Systems

Vulnerable web browser extensions can be used by an attacker to steal users' credentials and lure users into leaking sensitive information to unauthorized parties. Current browser security models and existing JavaScript security solutions are inadequate ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '19: The World Wide Web Conference

May 2019

3620 pages

ISBN:9781450366748

DOI:10.1145/3308558

Editors:
Ling Liu
Georgia Tech, USA
,
Ryen White
Microsoft Research, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '19

WWW '19: The Web Conference

May 13 - 17, 2019

CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
294
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)6

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Olsson EEriksson BPicazo-Sanchez PAndersson LSabelfeld AQuek TGao DZhou JCardenas A(2024)FakeX: A Framework for Detecting Fake Reviews of Browser ExtensionsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3656999(769-784)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3656999
Kim BMirza SPöpper CKnijnenburg BPapadimitratos P(2023)Extending Browser Extension Fingerprinting to Mobile DevicesProceedings of the 22nd Workshop on Privacy in the Electronic Society10.1145/3603216.3624955(141-146)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3603216.3624955
Lin XAraujo FTaylor TJang JPolakis J(2023)Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179437(987-1004)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179437
Bucci VLi W(2023)From Manifest V2 to V3: A Study on the Discoverability of Chrome ExtensionsInformation Security10.1007/978-3-031-49187-0_10(183-202)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_10
Zhang DZhang JBu YChen BSun CWang T(2022)A Survey of Browser Fingerprint Research and ApplicationWireless Communications & Mobile Computing10.1155/2022/33633352022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3363335
Solomos KIlia PNikiforakis NPolakis JYin HStavrou ACremers CShi E(2022)Escaping the Confines of TimeProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560576(2675-2688)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560576
Picazo-Sanchez POrtiz-Martin LSchneider GSabelfeld A(2022)Are chrome extensions compliant with the spirit of least privilege?International Journal of Information Security10.1007/s10207-022-00610-w21:6(1283-1297)Online publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1007/s10207-022-00610-w
Li TZheng XShen KHan X(2022)FPFlow: Detect and Prevent Browser Fingerprinting with Dynamic Taint AnalysisCyber Security10.1007/978-981-16-9229-1_4(51-67)Online publication date: 21-Jan-2022
https://doi.org/10.1007/978-981-16-9229-1_4
Rokicki TMaurice CSchwarz M(2022)CPU Port Contention Without SMTComputer Security – ESORICS 202210.1007/978-3-031-17143-7_11(209-228)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-17143-7_11
Akhavani SJueckstock JSu JKapravelos AKirda ELu L(2021)Browserprint: an Analysis of the Impact of Browser Features on Fingerprintability and Web PrivacyInformation Security10.1007/978-3-030-91356-4_9(161-176)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-91356-4_9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten