Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web site operators. In the Firefox extension system, these exploits are dangerous because extensions run with the user’s full privileges and can read and write arbitrary files and launch new processes. In this paper, we analyze 25 popular Firefox extensions and find that 88 % of these extensions need less than the full set of available privileges. Additionally, we find that 76 % of these extensions use unnecessarily powerful APIs, making it difficult to reduce their privileges. We propose a new browser extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability. Our design has been adopted as the Google Chrome extension system. 1

Browser extensions let developers add extra functionality to the browser. Although this enables popular new features, extensions threaten browser security because they are written by unknown third-party developers. An extension could be directly malicious, or a well-intentioned developer could write buggy code that leaks privileges to a malicious web site operator. This thesis advocates the development of an extension system that limits extensions’ privileges to the fewest privileges possible without crippling legitimate functionality. We motivate the reduction of extension privileges with a study of 25 Mozilla Firefox extensions. Currently, Firefox extensions have unrestricted access to browser privileges: extensions can delete files from the hard drive and launch processes. Our study shows that 88 % of the studied extensions do not require the most powerful privileges. We consider how the Firefox extension system could be changed to reduce extension privileges and remove the privilege gap. We then examine the new Google Chrome extension system, which supports restrictions on extensions as recommended by this work. We test the performance of their security mechanisms and study 25 popular Google Chrome extensions to see whether they are appropriately privileged. 1