Browser-Based Privacy-Invasive Attacks

Abstract—As the Web continues to evolve, browsers have become complex application platforms that mediate a significant part of our online activities. With web applications continuously introducing novel functionality to increase user engagement, browsers deploy novel APIs and technologies to support such initiatives. As a result, modern web browsers often integrate new technologies and mechanisms that introduce novel attack vectors with significant security and privacy implications. In this work, we focus on exploring JavaScript Service Worker and browser extensions, as two features of modern browsers, to find security and privacy issues.
We first conduct an exploration of the threat that JavaScript Service Workers pose to users and present a series of novel attacks that exploit their capabilities in most modern browsers. These attacks bypass current site isolation strategies and allow an attacker to infer the presence of third-party service workers through cross-origin requests hidden in iframes, thus reconstructing the user’s browsing history. Next, we present an automated approach for creating and detecting extension fingerprints. Then, we explore the true extent of the privacy threat that extension fingerprinting poses to users, and present a study on the feasibility of inference attacks that reveal private and sensitive user information based on the functionality and nature of their installed extensions.

Committee:
Prof. Jason Polakis, Chair and Advisor
Prof. Chris Kanich
Prof. Jon A. Solworth
Prof. Nick Nikiforakis (Stony Brook University)
Prof. Adam Doupé (Arizona State University)