Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions

Users have come to rely on browser extensions to realize features that are not implemented by browser vendors. Extensions offer users the ability to, among others, block ads, de-clutter websites, enrich pages with third-party content, and take screenshots. At the same time, because of their privileged position inside a user’s browser, extensions have access to content and functionality that is not available to webpages, such as, the ability to conduct and read crossorigin requests, as well as get access to a browser’s history and cookie jar. In this paper, we report on the first large-scale study of privacy leakage enabled by extensions. By using dynamic analysis and simulated user interactions, we investigate the leaking happening by the 10,000 most popular browser extensions of Google Chrome and find that a non-negligible fraction leaks sensitive information about the user’s browsing habits, such as, their browsing history and search-engine queries. We identify common ways that extensions use to obfuscate this leakage and discover that, while some leakage happens on purpose, a large fraction of it is accidental because of the way that extensions attempt to introduce thirdparty content to a page’s DOM. To counter the inference of a user’s interests and private information enabled by this leakage, we design, implement, and evaluate BrowsingFog, a browser extension that automatically browses the web in a way that conceals a user’s true interests, from a vantage point of history-stealing, third-party trackers.