Abstract
Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as adding/removing some lines from a plain text file called Secure Preferences file automatically created by Chromium the first time it was launched. Concretely, Google introduced a security mechanism based on a cryptographic algorithm named Hash-based Message Authentication Code (HMAC) to avoid users and applications other than the browser modifying the Secure Preferences file. This paper demonstrates that it is possible to perform browser hijacking, browser extension fingerprinting, and remote code execution attacks as well as silent browser extensions (un)installation by coding a platform-independent proof-of-concept changeware that exploits the HMAC, allowing for free modification of the Secure Preferences file. Last but not least, we analyze the security of the four most important Chromium-based browsers: Brave, Chrome, Microsoft Edge, and Opera, concluding that all of them suffer from the same security pitfall.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Brave uses Chrome user-agent (desktop and Android) and Firefox user-agent (iOS).
- 2.
- 3.
- 4.
- 5.
References
spyware: Softonic (2019). https://www.2-spyware.com/remove-softonic.html
Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: EuroS&P, pp. 47–61, April 2018
Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 415–436. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_19
Awakesecurity: Discovery of a massive, criminal surveillance campaign (2020). https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/
Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011)
Banescu, S., Pretschner, A., Battré, D., Cazzulani, S., Shield, R., Thompson, G.: Software-based protection against changeware. In: CODASPY, pp. 231–242 (2015)
Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: CHES, pp. 215–236 (2016)
Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX, pp. 97–111 (2012)
Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: CCS, p. 1687–1700 (2018)
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Selected Areas in Cryptography, pp. 250–270 (2003)
Chromium: No more silent extension installs (2019). http://blog.chromium.org
Cimpanu, C.: Windows 10 to get PUA/PUP protection feature (2020). https://www.zdnet.com/article/windows-10-to-get-puapup-protection-feature/
Dhawan, M., Ganapathy, V.: Analyzing information flow in Javascript-based browser extensions. In: ACSAC, pp. 382–391 (2009)
Forrest, S., Somayaji, A., Ackley, D.H.: Building diverse computer systems. In: Workshop on Hot Topics in Operating Systems, pp. 67–72, May 1997
gs.statcounter: Browser market share (2020). https://gs.statcounter.com/browser-market-share
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: S&P, pp. 115–130 (2011)
HMAC: Chromium Secure Preferences (2019). https://kaimi.io/2015/04/google-chrome-and-secure-preferences/
Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: USENIX, pp. 579–593 (2015)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX, pp. 641–654 (2014)
Karami, S., Ilia, P., Solomos, K., Polakis, J.: Carnus: exploring the privacy threats of browser extension fingerprinting. In: NDSS (2020)
Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified pup: abuse in authenticode code signing. In: CCS, pp. 465–478 (2015)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Internet Engineering Task Force (IETF) (1997)
Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. CoRR abs/1905.01051 (2019). http://arxiv.org/abs/1905.01051
Lerner, B.S., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying web browser extensions’ compliance with private-browsing mode. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_4
Malwarebytes: Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals (2020). https://blog.malwarebytes.com
Malwarebytes: WinYahoo (2020). https://blog.malwarebytes.com
Microsoft: Microsoft edge: making the web better through more open source collaboration (2019). https://bit.ly/2QeZFwm
Microsoft: How windows 10 uses the trusted platform module (2020)
Microsoft: Windows defender and secure preferences file (2020). https://answers.microsoft.com
Picazo-Sanchez, P., Tapiador, J., Schneider, G.: After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Securi. 1–16 (2019)
Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: EuroS&P, pp. 366–381, April 2017
Sánchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: USENIX, pp. 679–694 (2017)
Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box. In: Black Hat EU 2015 (2015)
Sjösten, A., Van Acker, S., Picazo-Sanchez, P., Sabelfeld, A.: LATEX GLOVES: protecting browser extensions from probing and revelation attacks. In: NDSS (2018)
Somé, D.F.: Empoweb: empowering web applications with browser extensions. In: S&P, pp. 227–245, May 2019
Starov, O., Nikiforakis, N.: Xhound: quantifying the fingerprintability of browser extensions. In: S&P, pp. 941–956 (2017)
Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW, p. 3244–3250 (2019)
Statcounter: Desktop Browser Market Share Worldwide (2019). https://gs.statcounter.com
UK, P.: Update Java, get yahoo as your default search engine (2019). https://uk.pcmag.com
Urban, T., Tatang, D., Holz, T., Pohlmann, N.: Towards understanding privacy implications of adware and potentially unwanted programs. In: ESORICS, pp. 449–469 (2018)
Varshney, G., Misra, M., Atrey, P.K.: Detecting spying and fraud browser extensions: short paper. In: MPS, pp. 45–52 (2017)
w3schools: Browser Statistics (2019). https://www.w3schools.com/browsers/
Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: WWW, pp. 1286–1295 (2015)
Zhao, R., Yue, C., Yi, Q.: Automatic detection of information leakage vulnerabilities in browser extensions. In: WWW, pp. 1384–1394 (2015)
Acknowledgments
This work was partially supported by the Swedish Foundation for Strategic Research (SSF) and the Swedish Research Council (Vetenskapsrådet) under grant Nr. 2015-04154 (PolUser: Rich User-Controlled Privacy Policies).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Installed-by-Default Extensions
A Installed-by-Default Extensions
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Picazo-Sanchez, P., Schneider, G., Sabelfeld, A. (2020). HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers Security. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)