| 摘要(英) |
With the rapid advancement of technology, browser extensions have become crucial tools for enhancing user browsing experiences. However, while enjoying the powerful functionalities provided by extensions, users are required to grant corresponding permissions, inadvertently providing a convenient pathway for malicious attackers.
This paper investigates whether malicious browser extensions can exploit permissions granted by users to steal personal information from online banking systems. It aims to confirm the feasibility of extensions stealing personal data and proposes defensive strategies against such malicious behavior.
The paper begins by introducing browser extensions, the development tools used during their creation, and methods for storing data within browsers. It then designs and implements a malicious extension system called InfoStealer, which detects user login status on online banking systems, sends requests to collect user data from banking servers, and ultimately transmits this data to other servers for simulation and analysis of the data theft process. The experimental results demonstrate the system′s capabilities in login detection, data retrieval, and transmission, while analyzing the relevance of extension permissions to malicious behavior.
This study provides defense strategies against such malicious behavior, advocating not only for authentication but also verification of network request headers to ensure requests originate from expected sources. Finally, the paper discusses the impact and consequences of data theft behavior, highlighting limitations of the research system. |
| 參考文獻 |
[1] “DevTools,” Chrome for Developers, [線上]. Available: https://developer.chrome.com/docs/devtools.
[2] “API reference,” Chrome for Developers, [線上]. Available: https://developer.chrome.com/docs/extensions/reference/api.
[3] Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas, Google, “Trends and Lessons from Three Years Fighting Malicious Extensions,” 24th USENIX Security Symposium, pp. 579-593, 2015.
[4] A. Aggarwal, B. Viswanath, L. Zhang, S. Kumar, A. Shah and P. Kumaraguru, “I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions,” 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 47-61, 2018.
[5] Benjamin Eriksson, Pablo Picazo-Sanchez, Andrei Sabelfeld, “Hardening the Security Analysis of Browser Extensions,” 37th ACM/SIGAPP Symposium on Applied Computing, pp. 1694 - 1703, 2022.
[6] Bauer, Lujo and Cai, Shaoying and Jia, Limin and Passaro, Timothy and Tian, Yuan, “Analyzing the dangers posed by Chrome extensions,” 2014 IEEE Conference on Communications and Network Security, pp. 184-192, 2014.
[7] Nayak, Asmit and Khandelwal, Rishabh and Fernandes, Earlence and Fawaz, Kassem, “Experimental Security Analysis of Sensitive Data Access by Browser Extensions,” Proceedings of the ACM on Web Conference 2024, p. 1283–1294, 2024.
[8] “Chrome-States,” [線上]. Available: https://chrome-stats.com/.
[9] S. Agarwal, “Helping or Hindering?: How Browser Extensions Undermine Security,” Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 23-37, 11 2022.
[10] “Migrate to a service worker,” Chrome for Developers, 9 3 2023. [線上]. Available: https://developer.chrome.com/docs/extensions/develop/migrate/to-service-workers.
[11] “Persistent Service Worker in Chrome Extension,” Stack Overflow, 13 3 2021. [線上]. Available: https://stackoverflow.com/questions/66618136/persistent-service-worker-in-chrome-extension/66618269#66618269. |
[Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 (2029-9-30以後開放)
plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit