Search Icon
Register

Browser Permission Mechanisms Demystified

Kazuki Nomoto (Waseda University), Takuya Watanabe (NTT Social Informatics Laboratories), Eitaro Shioji (NTT Social Informatics Laboratories), Mitsuaki Akiyama (NTT Social Informatics Laboratories), Tatsuya Mori (Waseda University/NICT/RIKEN AIP)

Modern Web services provide rich content by accessing resources on user devices, including hardware devices such as cameras, microphones, and GPSs. Web browser vendors have adopted permission mechanisms that achieve appropriate control over access to such resources to protect user privacy. The permission mechanism gives users the ability to grant or deny their browser access to resources for each website. Despite the importance of permission mechanisms in protecting user privacy, previous studies have not been conducted to systematically understand their behavior and implementation. In this study, we developed Permium, a web browser analysis framework that automatically analyzes the behavior of permission mechanisms implemented by various browsers. Using the Permium framework, we systematically studied the behavior of permission mechanisms for 22 major browser implementations running on five different operating systems, including mobile and desktop. We determined that the implementation and behavior of permission mechanisms are fragmented and inconsistent between operating systems, even for the same browser (i.e., Windows Chrome vs. iOS Chrome) and that the implementation inconsistencies can lead to privacy risks. Based on the behavior and implementation inconsistencies of the permission mechanism revealed by our measurement study, we developed two proof-of-concept attacks and evaluated their feasibility. The first attack uses the permission information collected by exploiting the inconsistencies to secretly track the user. The second attack aims to create a situation in which the user cannot correctly determine the origin of the permission request, and the user incorrectly grants permission to a malicious site. Finally, we clarify the technical issues that must be standardized in privacy mechanisms and provide recommendations to OS/browser vendors to mitigate the threats identified in this study.

Paper
Slides
Video

View More Papers

Using automation to prevent internet exposures becoming incidents

Johnathan Wilkes, Palo Alto Networks

Read More

LOKI: State-Aware Fuzzing Framework for the Implementation of Blockchain...

Fuchen Ma (Tsinghua University), Yuanliang Chen (Tsinghua University), Meng Ren (Tsinghua University), Yuanhang Zhou (Tsinghua University), Yu Jiang (Tsinghua University), Ting Chen (University of Electronic Science and Technology of China), Huizhong Li (WeBank), Jiaguang Sun (School of Software, Tsinghua University)

Read More

Fusion: Efficient and Secure Inference Resilient to Malicious Servers

Caiqin Dong (Jinan University), Jian Weng (Jinan University), Jia-Nan Liu (Jinan University), Yue Zhang (Jinan University), Yao Tong (Guangzhou Fongwell Data Limited Company), Anjia Yang (Jinan University), Yudan Cheng (Jinan University), Shun Hu (Jinan University)

Read More

Backdoor Attacks Against Dataset Distillation

Yugeng Liu (CISPA Helmholtz Center for Information Security), Zheng Li (CISPA Helmholtz Center for Information Security), Michael Backes (CISPA Helmholtz Center for Information Security), Yun Shen (Netapp), Yang Zhang (CISPA Helmholtz Center for Information Security)

Read More