Exploiting extensions capabilities via message passing APIs
Friday, March 22, 2019 at 15:00, Fermat F102, by Doliere Francis Some (Inria INDES)
Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, cookies and list of installed extensions.
For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.
In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions’ APIS, web applications can bypass SOP, access user cookies, browsing history, etc. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.
Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures
Friday, March 8, 2019 at 15:00, Fermat F102, by Celestin Matte (Inria INDES)
The recent spread of everyday-carried Wi-Fi-enabled devices (smartphones, tablets and wearable devices) comes with a privacy threat to their owner, and to society as a whole. These devices continuously emit signals which can be captured by a passive attacker using cheap hardware and basic knowledge. These signals contain a unique identifier, called the MAC address. To mitigate the threat, device vendors are currently deploying a countermeasure on new devices: MAC address randomization. Unfortunately, we show that this mitigation, in its current state, is insufficient to prevent tracking.
To do so, we introduce several attacks, based on the content and the timing of emitted signals. In complement, we study implementations of MAC address randomization in some recent devices, and find a number of shortcomings limiting the efficiency of these implementations at preventing device tracking. At the same time, we perform two real-world studies. The first one considers the development of actors exploiting this issue to install Wi-Fi tracking systems. We list some real-world installations and discuss their various aspects, including regulation, privacy implications, consent and public acceptance. The second one deals with the spread of MAC address randomization in the devices population.
Finally, we present two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.
Market study of Skini Sequencer
Friday, March 1, 2019 at 15:00, Fermat F102, by Arianna Corvi (Inria INDES)
Have you ever mixed the informatic language with music or ever thought about introducing a new collaborative music tool in the market? This will be the topic of the presentation you will attend on Friday: a summary of the analysis, researches, qualitative and documentary studies carried out in order to position the Skini sequencer in the market.
Tracking the Pixels: Detecting Web Trackers via Analyzing Invisible Pixels
Friday, January 18, 2019 at 15:00, Fermat F102, by Imane Fouad (Inria INDES)
Web tracking has been extensively studied over the last decade. To detect tracking, most of the research studies and user tools rely on consumer protection lists. However, there was always a suspicion that lists miss unknown trackers. In this paper, we propose an alternative solution to detect trackers by analyzing behavior of invisible pixels that are perfect suspects for tracking. By crawling 829,349 webpages, we detect that third-party invisible pixels are widely deployed: they are present on more than 83% of domains and constitute 37.22% of all third-party images. We then propose a fine-grained classification of tracking based on the analysis of invisible pixels and use this classification to detect new categories of tracking and uncover new collaborations between domains on the full dataset of 34,952,217 third-party requests. We demonstrate that two blocking strategies — based on EasyList&EasyPrivacy and on Disconnect lists — each miss 22% of the trackers that we detect. Moreover, we find that if we combine both strategies, 238,439 requests (11%) originated from 7,773 domains that still track users on 5,098 websites.
Friday, October 26, 2018 at 15:00, Fermat F102, by Manuel Serrano (Inria INDES)
JAMScript — A Programming Framework for Cloud of Things
Friday, October 5, 2018 at 10:30, Fermat F321, by Jayanth Krishnamurthy (Inria INDES)