A4 Refereed article in a conference publication
Man-in-the-browser Attack: A Case Study on Malicious Browser Extensions
Authors: Sampsa Rauti
Editors: Sabu M. Thampi, Gregorio Martinez Perez, Ryan Ko, Danda B. Rawat
Conference name: International Symposium on Security in Computing and Communication
Publication year: 2020
Journal: Communications in Computer and Information Science
Book title : Security in Computing and Communications: 7th International Symposium, SSCC 2019, Trivandrum, India, December 18–21, 2019, Revised Selected Papers
Series title: Communications in Computer and Information Science
Volume: 1208
First page : 60
Last page: 71
ISBN: 978-981-15-4824-6
ISSN: 1865-0929
DOI: https://doi.org/10.1007/978-981-15-4825-3_5
Self-archived copy’s web address: https://research.utu.fi/converis/portal/detail/Publication/44603241
Man-in-the-browser (MitB) attacks, often implemented as malicious browser extensions, have the ability to alter the structure and contents of web pages, and stealthily change the data given by the user before it is sent to the server. This is done without the user or the online service (the server) noticing anything suspicious. In this study, we present a case study on the man-in-the-browser attack. Our proof-of-concept implementation demonstrates how easily this attack can be implemented as a malicious browser extension. The implementation is a UI-level, cross-browser implementation using JavaScript. We also successfully test the extension in a real online bank. By demonstrating a practical man-in-the-browser attack, our research highlights the need to better monitor and control malicious browser extensions.
Downloadable publication This is an electronic reprint of the original article. |  |
