Man-in-the-browser Attack: A Case Study on Malicious Browser Extensions
: Sampsa Rauti
: Sabu M. Thampi, Gregorio Martinez Perez, Ryan Ko, Danda B. Rawat
: International Symposium on Security in Computing and Communication
: 2020
: Communications in Computer and Information Science
: Security in Computing and Communications: 7th International Symposium, SSCC 2019, Trivandrum, India, December 18–21, 2019, Revised Selected Papers
: Communications in Computer and Information Science
: 1208
: 60
: 71
: 978-981-15-4824-6
: 1865-0929
DOI: https://doi.org/10.1007/978-981-15-4825-3_5(external)
: https://research.utu.fi/converis/portal/detail/Publication/44603241(external)
Man-in-the-browser (MitB) attacks, often implemented as malicious browser extensions, have the ability to alter the structure and contents of web pages, and stealthily change the data given by the user before it is sent to the server. This is done without the user or the online service (the server) noticing anything suspicious. In this study, we present a case study on the man-in-the-browser attack. Our proof-of-concept implementation demonstrates how easily this attack can be implemented as a malicious browser extension. The implementation is a UI-level, cross-browser implementation using JavaScript. We also successfully test the extension in a real online bank. By demonstrating a practical man-in-the-browser attack, our research highlights the need to better monitor and control malicious browser extensions.
