Attacking browser extensions

Browser extensions, which gained mainstream popularity in the early 2000s with Firefox and Chromium, have become common tools for enhancing the browsing experience, often including adblockers. However, their security remains a significant concern, with vulnerabilities often scattered across bug reports and malicious extension coverage. This discussion delves into the structure of extensions, primarily focusing on the security differences between Firefox and Chromium, and the various contexts in which extension files operate, such as background, content script, and popup contexts. Each context has different levels of access and potential vulnerabilities, such as cross-site scripting (XSS), server-side request forgery (SSRF), and Extension API injection, which can lead to significant security risks if not properly managed. The transition from manifest version 2 to version 3 has introduced more secure settings and mitigations, such as more stringent permissions and the deprecation of unsafe-eval, reducing the attack surface. Yet, issues like Universal XSS (UXSS) remain, particularly when developers make errors in permissions and messaging policies. For users, ensuring extension security involves checking the manifest file for permissions and preferring extensions that adhere to the latest security standards. Developers and researchers can use tools like CodeQL to model and identify vulnerabilities, enhancing extension security through best practices and ongoing improvements in browser security protocols.