JVNDB-2023-027250

Security Problem in Web Browser Permission Mechanism

A research team of Waseda University and NTT Social Informatics Laboratories conducted a systematic analysis of the permission mechanisms of 5 different Operating Systems (both mobile and desktop OS) and 22 major browsers running on each OS. The results show that they have multiple problems including lack of consistency in implementations of permission mechanisms and flaws that can result in privacy risks. These problems can cause browser users to make bad decisions and create security threats. The below contents are presented by the research team at NDSS 2023.

Please refer to JVNTA#96606604 for more details.

This document was written by Kazuki Nomoto (Waseda University), Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Social Informatics Laboratories), and JPCERT/CC to alert browser vendors and users.

Web browser application

(Multiple Venders)

• (Multiple Products)

Inconsistencies in permission mechanisms among browsers can cause confusion and wrong decisions to web browser users. Furthermore, inconsistencies between permission mechanisms and important features for protecting user privacy, such as private browsing mode, can result in leaking information that should be protected.

Please refer to JVNTA#96606604 for more details.

Countermeasures on browser vendor side

For browser implementation, the research team recommends the following countermeasures:

* Do not share permission settings across browsing mode (normal/private).
* Explicitly delete configured permission settings at the end of private browsing mode session.
* Do not display the dialog of permission request by background tab as an overlay.

In their published paper, the research team also recommends that web standards organizations should standardize the following points and share best practices among browser vendors:

* Create an option to delete permission settings periodically instead of making them consistent.
* Do not automatically set permissions to "denied" when the website is reloaded multiple times from "prompt".
* Restrict permission requests from web pages in iframe.
* Provide users with clear visualization of their permission settings so that they can easily configure the settings.

Countermeasures on user side

[Use guest mode]

Browser users can reduce threats by using guest mode, which is available in many browsers, instead of private browsing mode. Since guest mode operates with a temporary guest user profile, which is different from the normal one, browsing in guest mode is not affected by normal profile settings. In addition, the permission setting configured for the guest user does not affect the normal profile.

[Check the permission request dialog carefully]

It is important to check permission request dialog carefully when using a browser. The research suggests that the websites that users are browsing may not always be the same as those making permission requests. Users need to check the domain of the website making a permission request, which is displayed on the permission request dialog, and properly judge the website. In addition, it is also important to carefully check what types of permission are requested, which is also displayed on the permission request dialog, and avoid granting unnecessary permissions to websites.

1. JVN : JVNTA#96606604
2. Related document : Browser Permission Mechanisms Demystified - NDSS Symposium 2023

• [2024/09/11]
    Web page was published