A research team has some worrying news. Researchers discovered two new flaws that might affect most of our browsers. These flaws influence the extension systems that are embedded in the browsers.
The research team
The team published the findings in a paper titled “Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies”. All the researchers are European, one from a French research center named Eurecom and two from the Spanish University of Deusto. “We responsibly disclosed all our findings and we are now discussing with the developers of several browsers and extensions to propose the correct countermeasures to mitigate these attacks in both current and future versions,” they said.
URL leakage makes Safari vulnerable
One of the flaws can harm the extensions model of Safari. It is called URI leakage and it can stop extensions from using manifest.json file in order to restrict access to extension files. They will generate a random URL that is only available for one browser session.
WebExtensions API is also affected
The other flaw targets all extension systems: those used for Chromium-based browsers but also WebExtensions API. These were supposed to use access control settings in order to list every installed extension. Unless the manifest.json file is configured to enable it, the file restricts websites from verifying the extension’s internal files.
A “timing side-channel attack on access control settings validation,” was also found. Browsers that use the Chromium WebExtensions API take longer to answer requests from websites for a malicious extension compared to a real one that has the wrong path.
Firebox might be affected by one of the flaws
One of the flaws makes extension systems vulnerable. The WebExtensions API used by Firefox adds special errors when files are requested from fake extensions.