JTaint: Finding Privacy-Leakage in Chrome Extensions

Extensions are used by many Chrome browser users to enhance browser functions and users' online experience. These extensions run with special permissions, they can read and modify the element of DOM (Document Object Model) in users' web pages. But, excessive permissions and operation behaviors have brought users heavy risks such as the privacy leakage caused by extensions. Dynamic taint analysis techniques are often exploited to discover the privacy leakage, it monitors code execution by modifying the JavaScript interpreter or rewriting the JavaScript source code. However, interpreter-level taint technique needs to overcome the complexity of the interpreter, and there are also many difficulties in designing taint propagation rules for bytecode. And source-level taint technique is undertainted like Jalangi2, which will trigger some exceptions in practice. To this end, we design JalangiEX based on Jalangi2. JalangiEX fixes problems in Jalangi2 and strips its redundant codes. Besides, JalangiEX also monitors two types of initialization actions and provides taint propagation support for message passing between different pages, which further solves the undertaint problem of Jalangi2. Moreover we implement JTaint, a dynamic taint analysis system that uses JalangiEX to rewrite the extension and monitors the process of taint propagation to discover potential privacy leaks in Chrome extensions. Finally, we use JTaint to analyze 20,000 extensions from Chrome Web Store and observe the data flow of extensions on a special honey page. Fifty-seven malicious extensions are recognized to leak sensitive-privacy information and are still active in the Chrome Web Store.