![Page 1: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/1.jpg)
Ex-Ray: Detection of History-Leaking Browser Extensions
Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, Engin Kirda
Northeastern University, University College London1
![Page 2: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/2.jpg)
2
![Page 3: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/3.jpg)
3
![Page 4: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/4.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Overview
● Extension Basics● Extension Privacy Risks● HoneyPot Probe● Detection Methodology● System Design and Evaluation● Conclusion and Discussion
4
![Page 5: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/5.jpg)
Michael Weissbacher et al., Northeastern University, Boston
How extensions work
● Additions to browser core functionality● Powerful API based on permissions
○ Modification of active pages○ Modification of requests / responses○ Often access to all visited pages○ Access to cookies○ Access to previous history
5
![Page 6: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/6.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Extension Privacy Risks
● Privacy leaks through○ Modifications to the site: referrer○ Request or response interception○ Polling active tab○ ...
● No unified way of detection● Previews work:
○ Manual analysis○ Leaking keywords, search traffic
6
![Page 7: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/7.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Extension Privacy Mitigations
● Permissions can restrict access to sites
● Extensions often over-request access
● Only modest permissions required to leak history
7
![Page 8: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/8.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Tracker Comparison
● On Websites:○ Opt-in: Website owner○ Opt-out: Ghostery
● In Extensions:○ (typically) all websites○ Implicit Opt-in through installation○ No opt-out
8
![Page 9: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/9.jpg)
“Is this an issue in practice?”
9
![Page 10: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/10.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
● Extensions run in a container● Web and DNS local● URLs unique to extension● Public Internet only for other resources● Browsing our website...● ... which is also available on the public Internet
10
![Page 11: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/11.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
11
![Page 12: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/12.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
12
![Page 13: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/13.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
13
![Page 14: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/14.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
14
![Page 15: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/15.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Incoming Connections
15
Extension Name Installations Connection Origin
Stylish - Custom themes
1,671,326 *.bb.netbynet.ru*.moscow.rt.ru*.spb.ertelecom.ru
Pop Up Blocker for Chrome
1,151,178 *.aws.kontera.com176.15.177.229*.bb.netbynet.ru
Desprotetor de Links
251,016 *.aws.kontera.com*.moscow.rt.ru*.bb.netbynet.ru
![Page 16: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/16.jpg)
Michael Weissbacher et al., Northeastern University, Boston
HoneyPot Probe
● Connections prove use of data● Excluding VPN: 38 Extensions● Connection often immediately after execution● They leak immediately● Indications for collaboration, no proof● No malicious activity detected● Motivation for automated detection system
16
![Page 17: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/17.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
Hypothesis: For tracking samples, sent data size should grow in relation to history provided to the
extension.
17
![Page 18: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/18.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Ex-Ray Goals
● Robust Detection○ Traffic obfuscation / encryption○ Method of data collection / exfiltration
● Automated detection of leaks
● Large scale
18
![Page 19: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/19.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
● Controlled environment
● Execution in multiple stages
● Vary size of browsing history
● Supervised and unsupervised methods
19
![Page 20: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/20.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
20
![Page 21: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/21.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
21
![Page 22: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/22.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Causality
● Varying history as variable over stages○ Stage 0: example.com/example/index.html○ Stage 1: example.com/example/<500characters>/index.html○ ...
● Expectations○ Benign: no change○ Otherwise: ?
22
![Page 23: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/23.jpg)
23
![Page 24: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/24.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Causality
● Counterfactual analysis● Input variable: size of history● Output variable: <data sent, destination> tuples● Invariants of trackers● Goal: find deterministic tracking● Supervised method: trained on benign and
leaking datasets
24
![Page 25: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/25.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Causality
Three steps1. Minimum intercept: threshold2. Minimum slope: increase3. Level of confidence: proximity to model
25
![Page 26: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/26.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
26
![Page 27: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/27.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage
● Quantify leakage
● Prioritize extensions
● Supports human analyst in prioritizing extensions
27
![Page 28: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/28.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage
28
● L: number of leaked URLs between experiments● |si|, |sj|: number of bytes sent to domain● : expected threshold for increase
![Page 29: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/29.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage
29
● Score: Likelihood of a leak● s: transition between stages (i=>j)
![Page 30: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/30.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage
● Result: indicators for manual analysis
30
![Page 31: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/31.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage Samples: Leak
QR Code Generator
4e+18 connectionstrenth.com
394.88 a.pnamic.com
28.22 eluxer.net
4.48 rules.similardeals.net
1.16 code.jquery.com
31
![Page 32: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/32.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Triage Samples: Benign
Bible Quote of the Day
1.00 www.gstatic.com
1.00 chromium-i18n.appspot.com
1.00 ssl.gstatic.com
1.00 localhost
0.67 www.google.com
32
![Page 33: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/33.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Detection Methodology
33
![Page 34: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/34.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Behavioral Detection
● Based on previously flagged extensions
● Clang Libtooling instrumentation○ C++ source code rewriting○ 11,132 function trace points
● API call analysis
● Input: n-grams of API calls
34
![Page 35: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/35.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Evaluation: Causality
● Crawled store for extensions > 1,000 installations
● 10,691 Extensions total● 212 flagged: 1.9%● 184 manually verified as leaking● 28 wrongly identified● False Detection Rate: 0.27%
○ Flagged due to ads○ Possible improvement: increase # stages
35
![Page 36: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/36.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Evaluation: Behavioral
● Best parameters:○ n-gram: 2○ F1 score: 96.43%
● Distinguishing calls:○ URL manipulation○ JavaScript manipulation
● Most distinguishing sequence:○ extensions.browser.extension_prefs.GetExtensionPref()○ chrome.browser.extensions.shared_user_script_master
.GetScriptsMetadata()
36
![Page 37: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/37.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Noteworthy Samples: Causality
● Not detectable by state-of-the-art leakage detection systems
● Previously unknown leakage channels○ Strong Encryption○ Unsupported Protocol
37
![Page 38: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/38.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Web of Trust (WOT)
● Provides crowd-sourced "trust" ranking● 1.2M installations● Extension received media coverage for selling
user data● RC4 encryption (See crypto.js file)● Can be implemented similarly to Google Safe
Browsing (offline)
38
![Page 39: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/39.jpg)
Michael Weissbacher et al., Northeastern University, Boston
CouponMate
● WebSockets: Protocol not supported by previous systems
● Protocol growing in popularity: 0.96%
39
![Page 40: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/40.jpg)
Michael Weissbacher et al., Northeastern University, Boston
● Stores should analyze extensions to warn users
● Implement API to inspect background traffic
● Invasive tracking as single purpose rule violation
Possible remediations
40
![Page 41: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/41.jpg)
Michael Weissbacher et al., Northeastern University, Boston
Conclusions
● Robust detection method for privacy leaks● Prototype: Ex-Ray● Supervised and Unsupervised methods● 10,691 extensions analyzed● 212 flagged● Found two novel leaking channels in use
41
![Page 42: Northeastern University, University College London ... · Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca](https://reader035.vdocuments.us/reader035/viewer/2022071103/5fdcf7c33606e41c7a4a3cad/html5/thumbnails/42.jpg)
Thank you for your attention
Questions?
Paper and Data:
https://goo.gl/nezKGp42