Browser extensions are a massive a part of the cutting-edge web. hundreds of millions of human beings use them. Google Chrome\'s manifest V3 (MV3) arrived as a safety-focused remodel of the extension platform. It swapped effective history pages for service employees and tightened vast permissionsbut MV3 does not prevent aspect-channel leakage. It simply actions the attack surface. We observed a category of new permission-escalation assaults that exploit the interaction among declarativeNetRequest rules, the chrome. Storage API, and move-foundation timing measurements. An attacker-controlled extension with only minimal permissions (garage, alarms) can infer sensitive surfing hobby. particular URLs visited, authentication states, even consumer identification. And it does this without ever asking for tabs or web Request permissions.We evaluated the attack surface throughout 500 actual-global Chrome extensions and added the Extension Leakage rating (ELS), a composite metric to quantify passive information publicity. Our consequences show that 31.4% of the extensions we analysed accidentally divulge consumer behavioural alerts that a co-mounted malicious extension should take advantage of. We suggest defences on the browser degree, in extensions, and in OS scheduling to help mitigate these threats.
Introduction
Browser extensions are widely used but can introduce serious privacy and security risks. Although Chrome’s Manifest V3 (MV3) was designed to improve security by limiting extension permissions, blocking dynamic code execution, and replacing powerful APIs with more restricted ones, this paper argues that MV3 still allows significant data leakage through side-channel attacks.
The study introduces a threat model where a malicious extension can infer a user’s browsing activity by observing the behavior of a normal “victim” extension installed in the same browser. It proposes three novel attack techniques: Storage Contention Timing (detecting database I/O delays), Service Worker Wake-Up Profiling (measuring timing differences in service worker activation), and DNR Rule Interference Measurement (inferring browsing activity through delays in network rule processing).
To quantify risk, the paper defines an Extension Leakage Score (ELS), which measures how much information an extension can unintentionally leak based on signal patterns and how widely it is co-installed with other extensions.
Experiments on 500 real Chrome extensions show that over 30% are vulnerable to at least one side-channel attack, with service worker timing being the most effective attack vector. Even under MV3, attackers can still infer visited website categories with over 80% accuracy without needing special permissions.
Conclusion
This paper indicates show up V3\'s permission model would not forestall co-hooked up malicious extensions. they can nonetheless infer touchy user surfing conduct thru passive aspect-channel remark.
The SIREN framework and its three primitives. SCT, SWWP, and DRIM. they are practical, low-permission attacks. Invisible to contemporary extension vetting techniques and user permission critiques.
We endorse 3 lessons of defenses.
1) Jitter Injection. The browser has to add calibrated random noise to chrome. Storage I/O of completion callbacks and provider worker startup timestamps. Make the noise larger than the aspect-channel signal.
2) Garage I/O Isolation. Serve OS-level garage I/O for browser extension information from in line with-extension remoted I/O queues. This prevents go-extension Level DB competition timing.
3) DNR Engine Opacity. The declarativeNetRequest engine must manner rulesets in consistent time according to request. Pad paintings to a hard and fast finances so attackers can\'t degree what number of guidelines fit.
The findings show security analysis need to appearance beyond specific permission presents. also watch for implicit information flows via shared runtime sources. As browsers maintain restricting apparent data access, attackers will shift to these covert channels.
References
[1] N. Carlini, P. Felt, and D. Wagner, \"An assessment of the Google Chrome Extension safety structure.\" In Proc. USENIX safety Symposium, 2012, pp. ninety-seven-111.
[2] I. Sanchez-Rola, I. Santos, and D. Balzarotti, \"Extension Breakdown. security analysis of Browsers Extension resources manipulates rules.\" In Proc. USENIX protection Symposium, 2017, pp. 679-694.
[3] A. Feal, P. Calcite, N. Vallina-Rodriguez, C. Soriente, and A. Gorla, \"Alert-conscious Browser Extension safety evaluation at Scale.\" arXiv preprint arXiv:2309.12816, 2023.
[4] P. Appendix, N. Bielova, B. Baudry, and G. Avion, \"Browser Fingerprinting. A Survey.\" ACM Trans. internet, vol. 14, no. 2, pp. 1-33, might also 2020.
[5] P. Kocher et al., \"Spectre assaults. Exploiting Speculative Execution.\" In Proc. IEEE Symposium on protection and privateness (S&P), 2019, pp. 1-19.
[6] T. Van Goethem, W. Joosen, and N. Nikiforakis, \"The Clock remains Ticking. Timing assaults within the modern-day internet.\" In Proc. ACM CCS, 2015, pp. 1382-1393.
[7] Google, \"Migrating to manifest V3.\" Chrome builders Documentation, 2023. [Online] available at https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/
[8] okay. Bock, G. Fanti, and D. Levin, \"Measuring the Effectiveness of privacy guidelines for Voice Assistant packages.\" In Proc. NDSS Symposium, 2021.
[9] \"Chrome Extensions. declarativeNetRequest API.\" Google Chrome developers, 2023. [Online] available at https://developer.chrome.com/docs/extensions/reference/declarativeNetRequest/
[10] A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna, \"Revolver. an automated technique to the Detection of Evasive net-based totally Malware.\" In Proc. USENIX protection Symposium, 2013, pp. 637-652.