Security and Privacy Issues of Modern Web Browsers
Abstract
The modern web, as users experience it, bears little resemblance to the original world wide web invented by Tim Berners-Lee. Static, stateless, HTML pages with text and the occasional pixelated images gave way to dynamic, stateful, TLS-protected Web 2.0 pages where the expressiveness of JavaScript and the ever expansion of HTML5 APIs enable users to spend the vast majority of their time within a browser, with little need for traditional installed applications. As we keep on adding new features to modern browsers we are also invariably increasing their attack surface.
In this talk, we are going to present three recent results of our group on the security and privacy of modern web browsers. On the security front, we will discuss the idiosyncrasies of mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop platforms. We will present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. On the privacy front, we focus on the extension systems of modern browsers and show that browser extensions can be abused to fingerprint users against their will and identify their socioeconomic status and political inclinations. Finally, we will present our analysis of PII-leaking extensions, where we find that popular browser extensions, whether on purpose or by accident, leak a user's browsing-history to multiple third-party servers.