Websites can steal browser data via extensions APIs

Discussion in 'other security issues & news' started by mood, Jan 19, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,326
    Websites can steal browser data via extensions APIs
    January 19, 2019
    https://www.zdnet.com/article/websites-can-steal-browser-data-via-extensions-apis/
    "EmPoWeb: Empowering Web Applications with Browser Extensions" (PDF):
    http://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf
    https://arxiv.org/pdf/1901.03397.pdf
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,136
    Location:
    .
    how long to "Wait..."
    4339.png
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,250
    Location:
    The Netherlands
    This is absolutely crazy. The people responsible for the extension architecture should be ashamed. This is another thing that browser makers like Google and Mozilla should now be focused on, this stuff must be fixed. :gack:
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,441
    OK, kinda freaky. So I looked at the paper. Bottom line, this is mostly Chrome and Opera stuff. And there are too many to list, so hey.

    Also, the dangerous Firefox extensions are not the sort we typically talk about here. They are:

    Code:
    TABLE IX: Chrome, Firefox and Opera extensions which give web applications access to privileged APIs
    
    ...
    
    Firefox Browser
    
    Extension unique                 Web applications      Target web         Permissions
    identifier or name               to send messages      applications       (accessible
                                     from                  to access          privileged API)
    
    guretv-ver-tv                    *                     *                  eval,host,storage
    buxenger                         *                     *                  eval,host
    bitbucket-server                 *                     *                  host
    logincataddon                    logincat.com,         *                  host
    facebook-photo-zoom-easy         www.facebook.com      *                  host
    facebook-photo-zoom              www.facebook.com      *                  host
    markanabak-eklentisi             *.markanabak.com,     *.wipo.int,        host
    skimdaddy                        *                     skimdaddy.com      host
    the-trees-network                *.treesnetwork.com,   docs.google.com,   host
    assina-me                        *                     -                  downloads
    liber-capital                    *                     -                  downloads
    video-downloader-1               *                     -                  downloads
    openvost                         animevost.org         -                  downloads
    youtube-video-download-convert   *.youtube.com         -                  downloads
    openvideo                        droppages.com         -                  storage
    vgis                             *.vonage.com          -                  storage
    Based on their names, the ones that give access storage are likely Chrome or Opera extensions. But TFA doesn't make that clear.

    Code:
    TABLE VII: Extensions which give access to their storage to any application
    
    eljhpoopiapggnlfcilpbihgbgbpnkgd
    ...
    pjojmkmdealampgchopkfbejihpimjia
    Code:
    TABLE VIII: Extensions which give access to their storage to specific applications
    
    lpkhcobfjeidpkllbeagkkmmjgbmpfch   mail.google.com
    eggdmhdpffgikgakkfojgiledkekfdce   mail.google.com
    jmllflbhbembffempimjdbgnaodpoihh   mail.google.com
    jmlnhlclbpfcbkaoaegfigepaffoankc   *.google.com,
    gaoiiiehelhpkmpkolndijhiogfholcc   netflix.com
    ghldlmcbffbcnoofadgcapodmpiimflj   netflix.com
    jpgadigdffhcjldfkanacncocacekkie   netflix.com/watch/
    peiajekggpiihnhphljoikpjeaahkdcn   beam.pro
    bnfboihohdckgijdkplinpflifbbfmhm   plug.dj
    aclhfmpoahihmhhacaekgcbjaeojnifa   wordix.io,
    hcdfoeppbchkbbpplllggbjkkfokifej   *.vk.com/feed/
    hddnlanhlmifafibmlabomkkkobcmchj   thankscoin.org
    lhjajgnfmiliphkioedlmbfcdkhdhnkc   *.service-now.com
    bmdlalnebjigindhobniianfmhakfelf   robertsspaceindustries.com,
    dadggmdmhmfkpglkfpkjdmlendbkehoh   openvideo.droppages.com
    pbpfgdgddpnbjcbpofmdanfbbigocklj   tweetdeck-enhancer
    ilpkhojfiejdbkgcjbmllngjebdoehim   *.phylotree.org
    cfnjeahambijfdljfacldifapdcklhnj   isogg.org
    cjkbjhfhpbmnphgbppkbcidpmmbhaifa   *.player.me
    ddiaadobgihkgefcaajmkjgmnjakiamn   auth.digitalkeyway.com
    dienbdhbgkpddlgaceopelifcjpmkeha   *.gestionderesidencias.es
    dnpdkejhfeeipmklhlkdjaoakbkjkkjn   datalane.io
    gmjdaaahidcimfaipifeoekglllgdllb   chat.stackexchange.com
    kfodnoaejimmmphonklghkimhnhhgbce   overlayBI.com
    Edit: OK, I had to look. I mean, "assina-me"?

    https://www.crunchbase.com/organization/signs-me-assina-me-
     
    Last edited: Jan 27, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.