「Understanding the Inconsistencies in the Permissions Mechanism of Web Browsers」

Understanding the Inconsistencies in the Permissions Mechanism of Web Browsers

[Journal of Information Processing Vol.31, pp.620-642]


Modern Web services provide advanced features by utilizing hardware resources on the user's device. Web browsers implement a user consent-based permission model to protect user privacy. In this study, we developed PERMIUM, a web browser analysis framework that automatically analyzes the behavior of permission mechanisms implemented by various browsers. We systematically studied the behavior of permission mechanisms for 22 major browser implementations running on five different operating systems. We found fragmented implementations. Implementations between browsers running on different operating systems are not always identical. We determined that implementation inconsistencies could lead to privacy risks. We identified gaps between browser permission implementations and user perceptions from the user study corresponding to the analyses using PERMIUM. Based on the implementation inconsistencies, we developed two proof-of-concept attacks and evaluated their feasibility. The first attack uses permission information to secretly track the user. The second attack aims to create a situation in which the user cannot correctly determine the origin of the permission request and the user mistakenly grants permission. Finally, we clarify the technical issues that must be standardized in privacy mechanisms and provide recommendations to OS/browser vendors to mitigate the threats identified in this study.

[Reasons for the award]

The paper develops a framework for automatic analysis of inconsistencies and vulnerabilities in privacy protection features, points out concerns caused by differences in web browser implementation among operating systems, and reports the feasibility of the attack through proof of concept. In addition to identifying technical issues that should be standardized in privacy protection mechanisms, the paper also describes recommendations for mitigating threats and is worthy of the Outstanding Paper Award.

Kazuki Nomoto

Kazuki Nomoto was born in 1999. He received his B.E. and M.E. degrees in engineering from the Department of Communications and Computer Engineering at Waseda University in 2021 and 2023, respectively. He is currently a PhD student in the Department of Computer Science and Communications Engineering at Waseda University. In 2023, he joined Deloitte Tohmatsu Cyber LLC, where he has been engaged in research on digital twins and autonomous vehicles. His research interests include web security and autonomous vehicle security. He is a member of the IEEE.

Takuya Watanabe

Takuya Watanabe received B.E. and M.E. degrees in computer science and engineering, and a Ph.D. in engineering from Waseda University in 2014, 2016, and 2020, respectively. Since joining the Nippon Telegraph and Telephone Corporation (NTT) in 2016, he has been engaged in research on system security and privacy from the perspective of an attacker, particularly in web and mobile applications. He is currently with the Cyber Security Project of NTT Social Informatics Laboratories.

Eitaro Shioji

Eitaro Shioji received his B.E. degree in Computer Science and M.E. degree in Communications and Integrated Systems from Tokyo Institute of Technology in 2008 and 2010, respectively. Since joining Nippon Telegraph and Telephone Corporation (NTT) in 2010, he has been engaged in research and development on cyber security. His research interests include systems and software security.

Mitsuaki Akiyama

Mitsuaki Akiyama received his M.E. and Ph.D. in engineering from Nara Institute of Science and Technology in 2007 and 2013. Since joining Nippon Telegraph and Telephone Corporation (NTT) in 2007, he has been engaged in research and development on cybersecurity. He is currently a Senior Distinguished Researcher at NTT Social Informatics Laboratories. He received the Cybersecurity Encouragement Award of the Minister for Internal Affairs and Communications in 2020 and IPSJ/IEEE Computer Society Young Computer Researcher Award in 2022. He is a senior member of IPSJ and a member of IEEE, SIGCHI, and IEICE.

Tatsuya Mori

Tatsuya Mori is currently a professor at Waseda University, where he has been a faculty member since 2013. He received his B.E. and M.E. degrees in applied physics and his Ph.D. in information science from Waseda University, in 1997, 1999, and 2005, respectively. He joined the NTT lab in 1999, where he has since been engaged in research on the measurement and analysis of networks and cybersecurity. From March 2007 to March 2008, he was a visiting researcher at the University of Wisconsin–Madison. He has received numerous Best Paper Awards, including those at NDSS 2020 and EuroUSEC 2021.