Attacking mobile browsers with extensions

This repository contains proofs of concept showcasing how to attack mobile browsers with extensions. It is a well-known fact that browser extensions could cause severe harm to a browser, as they are like privileged UXSS (Universal Cross-Site Scripting).

This work is related to the Thesis I wrote for my Master's degree in Cybersecurity in 2020. The full document will be available soon.

In each folder, you'll find a minimal working example as well as an explanation of the attack

Disclaimer

⚠️ This repository is for research and/or educational purposes only, the use of this code is your responsibility. I take no responsibility nor liability for how it is used. By using any of the files available in this repository, you are agreeing to use it AT YOUR OWN RISK.

Future work

The code was tested on Fennec (Firefox Android) and Kiwi Browser (Android). As it contains proofs of concepts, some style sheets or code were written according to a specific website and are not generic.
Moreover, some attacks rely on bugs that we reported and should be patched soon, if not already done.

Coming soon:

See more details about the attacks: https://borelenzo.github.io/thesis.html