'"Threatpost has a link to some recent research about ways web pages
can exploit browser extensions to steal information or write files,"
writes Slashdot reader jbmartin6. "Did we need another reason to be
deeply suspicious of any browser extension? Not only do they spy on us
for their makers, now other people can use them to spy on us as well.
The academic paper is titled 'Empowering Web Applications with Browser
Extensions' (PDF)." From the report:
"An attacker [uses] a script that is present in a web application
currently running in the user browser. The script either belongs to
the web application or to a third party. The goal of the attacker is
to interact with installed extensions, in order to access user
sensitive information. It relies on extensions whose privileged
capabilities can be exploited via an exchange of messages with scripts
in the web application," researchers wrote. They added, "Even though
content scripts, background pages and web applications run in separate
execution contexts, they can establish communication channels to
exchange messages with one another... APIs [are used] for sending and
receiving (listening for) messages between the content scripts,
background pages and web applications."
The researcher behind the paper focused on a specific class of web
extension called "WebExtensions API," a cross-browser extensions
system compatible with major browsers including Chrome, Firefox, Opera
and Microsoft Edge. After analyzing 78,315 extensions that used the
specific WebExtension API, it found 3,996 that were suspicious. While
it seems voluminous, they noted that research found a small number of
vulnerable extensions overall, and that concern should be measured.
However, "browser vendors need to review extensions more rigorously,
in particular take into consideration the use of message passing
interfaces in extensions."'
-- source: https://it.slashdot.org/story/19/01/23/2256252
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174