Library resource promotion via browser extension; Understanding the threats of malicious browser extensions

Sitoula, Yukesh, School of Engineering and Applied Science, University of Virginia
Baritaud, Catherine, EN-Engineering and Society, University of Virginia
Ibrahim, Ahmed, EN-Comp Science Dept, University of Virginia

A browser extension is one of the most popular tools that extends the browser’s functionality allowing web users to perform a variety of tasks from the browser. The technical project creates a Google Chrome browser extension for the University of Virginia (U.Va.) Library which informs students and staff about resources that can be obtained free-of-cost, helping users to save some money that might be otherwise used to get resources through online e-commerce websites. The goal of the technical project is to increase the usage of unused resources laying around in the U.Va. Library for students and staffs to use. Loosely coupled with the technical project, the Science, Technology and Society (STS) research paper uses the Actor-Network Theory (ANT) framework to analyze the threats of a malicious browser extension on users’ privacy and how web users can minimize the possibility of an attack. It is important to research this topic because of the huge potential of a malicious browser extension, the rapid increase in the malicious browser extension’s number, and the lack of attention from defense experts.
A browser extension is an extremely popular tool, with hundreds of millions of downloads. The main reason for its popularity is because of its ease to use and its enormous potential. Once downloaded and installed, the browser extension does not require much user involvement, and also it does not take up much computer storage, so the user does not have to spend unnecessary time and computer storage. Therefore, instead of creating computer software, which takes much more storage than browser extension and also requires the user to open and close whenever the user wants to use it, the capstone team decided to create browser extension, which is easy to download, install, and use. Since most UVA students and staffs have Google Chrome browser installed in their computer, they can easily obtain the library browser extension within a minute from the browser web store.
By creating a Google Chrome browser extension that recommends UVA library resources when a user search from e-commerce sites like Amazon, Google Scholars, and Barnes and Nobles, the problem has been successfully addressed and possibly might solve the problem soon. The browser extension will recommend potential matches to the searched items from the e-commerce sites in less than 10 seconds, by showing the result through a bar at the top of the screen and thorough the browser extension popup icon. The UVA library extension meets all of the requirements for the system, which was gathered from the client throughout the development phase, and also includes some future enhancements like showing library services and user search history. The browser extension also complies with the W3C accessible use standards. Through this technical project, the users will become more aware of the library resources available to them, leading to increased utilization of valuable services that improve academic research and performance at the university.
The STS research paper is focused on raising awareness than looking for a potential solution. The research question is “How can the web users protect their privacy given that the popularity of browser extension, as well as the number of a malicious browser extension, is rapidly increasing?” This research question is important because the browser extension attacks are getting more advanced and sophisticated every day. To answer the research question, the STS research paper examines four steps. First the paper identifies the security vulnerability of Google Chrome and Mozilla Firefox. Then, it provides a few privacy laws protecting web users’ privacy and explains why these laws might not be enough for web users to be safe. Next, the paper introduces three malicious browser extensions and one malware to explain how and why cybercriminals are using malicious browser extensions to attack. Finally, the paper provides general countermeasures and defenses that web users and browser developers can apply to minimize the possibility of attacks via browser extensions.
The browser provides many capabilities to the browser extensions that can compromise a user’s security and privacy. The browser extension can read, edit, write, and replace any website’s DOM, crash browser, steal location data, check user’s keystrokes, mouse strokes and touch strokes, read, edit and delete cookies, read, write, and delete history, and many more. The browser provides way too much power to the browser extensions, and these powers can be easily utilized by cybercriminals to attack general web users. There are few laws which try to protect web users, but these laws are not easy to execute because it is tough to find the advanced cybercriminals. Therefore, it is up to web users to act defensively and minimize the possibility of getting attacked.
In conclusion, the technical project addresses the problem of university students and staffs not using free resources available in the library but instead spending money by buying resources from e-commerce websites such as Amazon, Barnes and Nobles, etc. The STS research paper explains the threats of a malicious browser extension, and the countermeasures to become safe online. Through the technical project, the users will be able to find resources for free and save money, and through STS research paper, the readers will be able to protect their data and money more safely. The browser extension is an amazing tool that can help web users, if used safely, and is extremely dangerous if the web users are not cautious.

BS (Bachelor of Science)
Actor-Network Theory (ANT), Malicious browser extension, browser extension, web users privacy

School of Engineering and Applied Science
Bachelor of Science in Computer Science
Technical Advisor: Ahmed Ibrahim
STS Advisor: Catherine D. Baritaud
Technical Team Members: Ryan Kelly, Tho Nguyen, Benjamin Ormond, Nitesh Parajuli, Benjamin Spector, Ashish Upadhyaya

All rights reserved (no additional license for public reuse)
Issued Date: