Browser-Based Privacy-Invasive Attacks

As browsers continue to evolve, they have become complex applications that mediate a significant part of our online activities. With web applications continuously introducing novel functionality to increase user engagement, browsers deploy novel APIs and technologies to support such initiatives. As a result, modern web browsers often integrate new technologies and mechanisms that introduce novel attack vectors with significant security and privacy implications. This dissertation focuses on exploring JavaScript Service Worker and browser extensions, as two features of modern browsers. The goal is to provide a better understanding of web security threats caused by these features and propose solutions to address them. This dissertation first conducts an exploration of the threat that JavaScript Service Workers pose to users and develops novel attack vectors that exploit their capabilities in most modern browsers. By investigating the Cache Storage and Fetch APIs, this work found that attackers can exploit these APIs for history-sniffing in most major browsers. We found that Service Workers are not effectively isolated in browsers and demonstrated two novel history-sniffing attacks. One of the attacks relies on information leakage in the performance API and the other attack is based on measuring the timing side effects of Service Workers functionality. We instrumented the Chromium browser in order to detect vulnerable websites. Using this system, we analyzed one million most popular websites and found 6,706 vulnerable websites to these attacks. In addition to the history-sniffing attacks, our methodology also enables other forms of privacy-leakage attacks. We used the history-sniffing attacks as a building block to generate three additional attack vectors for registration inference, fine-grained history sniffing, and application-level sensitive information inference. Next, this work presents an automated approach for creating and detecting extension fingerprints. We developed a framework (called Carnus) in order to fully automate the entire process of fingerprint creation and detection of behavior-based fingerprints. In the core of this system I used four techniques to generate the extensions’ fingerprints: WAR, DOM-based, outgoing HTTP requests and intra-browser message exchanges. This system creates the largest set of extension fingerprints to date. By statically and dynamically analyzing more than 100,000 extensions we found 29,428 detectable extensions. Our analysis and investigation of extension fingerprinting in realistic settings demonstrates the practicality and robustness of our techniques. The behavior-based techniques of this system have more than 97% accuracy. Then, it explores the privacy threat that extension fingerprinting poses to users, and presents a study on the feasibility of inference attacks that reveal private and sensitive user information based on the functionality and nature of their installed extensions. Using these techniques, we found 18,286 (62.13%) of the detectable extensions reveal sensitive information about users. Finally, this dissertation introduces the concept of DOM Reality Shifting for preventing behavior based extension fingerprinting. To demonstrate this approach Simulacrum, a prototype extension that implements this defense through overriding DOM APIs, was developed. Simulacrum splits the reality users experience while browsing from the reality that webpages can observe. The reality that webpages observe does not have any extension behavior; therefore, extensions are not detectable by websites.