隨著科技的快速發展,瀏覽器擴充程式已經成為提高使用者瀏覽器操作體驗的重要工具。然而,在享受擴充程式提供的強大功能的同時,使用者也需要授予相對應的權限,如此一來也提供惡意攻擊者一個便利的途徑。 本論文針對惡意擴充程式是否能利用用戶授予給擴充程式的權限,竊取網路銀行的個人資訊進行測試,最終確認擴充程式竊取個人資料的可能性,並針對此惡意行為提出防禦對策。 文中首先介紹瀏覽器擴充程式,以及開發過程中使用的工具,還有瀏覽器儲存資料的方式。本文設計並實作出惡意擴充程式InfoStealer系統,主要功能為偵測使用者在網路銀行系統的登入狀態,發送請求至網路銀行伺服器收集使用者資料,最終傳送至其他伺服器,來模擬及分析資料竊取過程。實驗結果部分,展示系統在登入偵測、資料撈取及送出這兩項功能的結果,並分析擴充程式要求的權限範圍與惡意行為的相關性。 本文提供針對此種惡意行為的防禦對策,即除了身分驗證之外,也一併驗證網路請求的標頭來確認請求的來源是否與預期相符。最後,本文討論了資料竊取行為的影響及後果,並指出此研究系統的限制。 ;With the rapid advancement of technology, browser extensions have become crucial tools for enhancing user browsing experiences. However, while enjoying the powerful functionalities provided by extensions, users are required to grant corresponding permissions, inadvertently providing a convenient pathway for malicious attackers. This paper investigates whether malicious browser extensions can exploit permissions granted by users to steal personal information from online banking systems. It aims to confirm the feasibility of extensions stealing personal data and proposes defensive strategies against such malicious behavior. The paper begins by introducing browser extensions, the development tools used during their creation, and methods for storing data within browsers. It then designs and implements a malicious extension system called InfoStealer, which detects user login status on online banking systems, sends requests to collect user data from banking servers, and ultimately transmits this data to other servers for simulation and analysis of the data theft process. The experimental results demonstrate the system′s capabilities in login detection, data retrieval, and transmission, while analyzing the relevance of extension permissions to malicious behavior. This study provides defense strategies against such malicious behavior, advocating not only for authentication but also verification of network request headers to ensure requests originate from expected sources. Finally, the paper discusses the impact and consequences of data theft behavior, highlighting limitations of the research system.
