Colluding browser extension attack on user privacy and its implication for web browsers

In this paper, we extend the concept of colluding extension discussed in the literature. Furthermore, we demonstrate a new attack that can leverage this concept and cause privacy leakage in a web browser. The communication between extensions permit two extensions to collude with each other, and share objects that are allocated in the same address space. As improvement on the work discussed in the literature, we show the way in which colluding extensions can communicate over overt and covert communication channels for executing colluding attacks. In addition, we test the effectiveness of newly identified attacks against representative state-of-art techniques for browser extensions. In particular, we identify: (a) object reference sharing; (b) event notification; and (c) preference overriding as the vulnerable points in the browser extension system. We illustrate the effectiveness of the proposed attack through colluding extensions using various attack scenarios, and we provide a proof-of-concept implementation for web domains including the banking and shopping domains. We believe that the use-case scenarios we consider in our demonstration further underlines the severity of the presented attack. Finally, we discuss possible mitigation techniques to address the given colluding attack.