Title: Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets
Authors: Van Acker, Steven
Nikiforakis, Nick
Desmet, Lieven
Piessens, Frank
Joosen, Wouter
Issue Date: 2-Jun-2014
Conference: ASIACCS edition:2014 location:Kyoto, Japan date:2-4 June 2014
Abstract: With the constant migration of applications from the desktop to the web, power users have found
ways of enhancing web applications, at the client-side, according to their needs.

In this paper, we investigate this phenomenon by focusing on the popular Greasemonkey extension which enables
users to write scripts
that arbitrarily change the content of any page, allowing them to remove unwanted features from web
applications, or add additional, desired features to them.
The creation of script markets, on which these scripts are often shared, extends the standard web security model
with two new actors, introducing novel vulnerabilities.

We describe the architecture of Greasemonkey and
perform a large-scale analysis of the most popular, community-driven, script market for Greasemonkey.
Through our analysis, we discover not only dozens of malicious scripts waiting to be installed
by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases,
the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user's browser
and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a ``Man-in-the-browser'' attack.
Description: online only
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section

Files in This Item:
File Description Status SizeFormat
asia081s.pdf Published 235KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.