XHound: Quantifying the Fingerprintability of Browser Extensions. Priyankit Bangia Software Engineering. By Oleksii Starov & Nick Nikiforakis

Transcription

1 XHound: Quantifying the Fingerprintability of Browser Extensions By Oleksii Starov & Nick Nikiforakis Priyankit Bangia Software Engineering

2 INTRODUCTION What are browser extensions? Browsers are designed to be extensible. Users can install programs to add extra functionality to their browser. >10M users >10M users >5.7M users - AdBlock removes/hides ad elements on the page. - Grammarly attaches a spell checker to text input areas. - LastPass automatically stores and fills out forms with passwords. Adding browser extensions can make a user uniquely identifiable/fingerprintable.

3 INTRODUCTION Why is this important? Security: Trackers can discover targets for exploits in browser extensions. E.g password managers store high risk information. Privacy: Inferring and leveraging sensitive information about the user. E.g Shopping extensions reveal shopping habits, political addons reveal political views. Predicting fingerprinting techniques allows the research community develop countermeasures.

4 INTRODUCTION This work aims to investigate and quantify the fingerprintability of browser extensions. Browser extensions can serve as discriminating features for uniquely identifying browser sessions of users. - These modifications create a signature, which can be tracked across visits of a web page. XHound tool developed to automate the detection and fingerprinting of browser extensions. - Static analysis & dynamic analysis Defenses to minimise fingerprintability. - Encapsulation & namespace pollution

5 THREAT MODEL Attacker uniquely identifies user across browser sessions with stateless identifiers. DOM changes made by extensions make them identifiable. A web page has DOM elements which trigger activity from extensions. The DOM changes reveal the extension s presence. 4 types of DOM changes: adding/removing/modifying an element, or changing text. A set of extensions that the user has can be inferred and can be used to discriminate between users.

6 THREAT MODEL Two attack scenarios: 1. Tracking from an arbitrary domain - Extension is invoked on ANY web page 2. Tracking from some popular domain - Extension is invoked on SPECIFIC web pages

7 THREAT MODEL #1 ARBITRARY URLs Content dependant extension activity. Targets extensions that may run on any web page that has the relevant elements to trigger the extension. The modifications to the DOM reveal the extension s presence. Example: LastPass modifies all form input elements that are found in any web page.

8 THREAT MODEL #2 SPECIFIC URLs URL dependant extension activity. Extension is designed to be activated on specific web pages, changing the DOM of only these targeted web pages. The modifications to the DOM reveal the extension s presence. Example: SaveToPocket adds buttons to twitter feeds on twitter.com

9 XHOUND s ARCHITECTURE 1. Test Preparation Extensions unpacked Patch with JS, OnTheFlyDOM library 2. Execution Extensions loaded with ChromeDriver URLs visited, honey pages served Final DOM state is saved 3. Analysis Comparisons made by detection logic

10 HONEY PAGES Aim is to trigger as much activity as possible. Pretend to visit actual URLs, but serve custom honey pages instead Content that deliberately stimulates benign extension activity. DOM includes login forms, video, audio, images, text, tables... OnTheFlyDOM library included in the honey pages that are served. Intercepts queries for DOM elements. Crafts the requested element and returns it. Extension is made to believe that the queried element is on the page, continues executing E.g XHound patches the document.getelementbyid method, so the extension is made to believe the queried element is present.

11 DETECTION LOGIC Example: Skype would remove this script from a web page if it was installed: If the script was removed, it indicates that Skype was triggered.

12 RESULTS Top 10,000 Chrome extensions tested. If looking at top 1000: % detection on arbitrary domains. - 23% detection on popular domains.

13 DEFENCE #1 Encapsulation Keeping some code separate from the main DOM of the main document, creating encapsulated widgets. Include elements in rendering, but not in the main DOM itself. Implementation code of elements is hidden E.g A slider is a simple input element: <input id="foo" type="range"> But is rendered with extra properties:

14 DEFENCE #2 Namespace pollution User can pretend to have an extension present, by populating some on-page side effects deliberately. A random sample of modifications on every page visit introduces noise. Bogus modifications increase false positives/negatives - inconsistent signature. E.g Insert empty Skype script: <script id= skype_script ></script>

15 CRITICISMS This work is about identifying techniques to fingerprint users, but does not measure the risk of exposed information from being fingerprinted: Need to quantify the sensitivity of information leakage for better representation of risk. Can explore risk classification techniques (similar to the Pluto framework [1]) to quantify information exposure as well. [1] Demetriou, S., Merrill, W., Yang, W., Zhang, A., & Gunter, C. A. (2016). Free for All! Assessing User Data Exposure to Advertising Libraries on Android. In NDSS.

16 CRITICISMS Extensions which require to be set up are missed: E.g. does not handle extensions which require set up by clicking through several dialogues or require user login. Can log report this for human intervention to allow manual setup. Ad-blockers are detectable, but are difficult to uniquely identify: Honey pages used ads from well-known sources, which are likely found in the blacklists of almost all ad-blockers. Solution can be to analyse a large set of ad server URLs, find discrepancies in combinations of URLs that work with the targeted ad-blocking extensions.

17 Thank you. Questions? Priyankit Bangia Software Engineering