Understanding the Inconsistencies in the Permissions Mechanism of Web Browsers

Abstract

Modern Web services provide advanced features by utilizing hardware resources on the user’s device. Web browsers implement a user consent-based permission model to protect user privacy. In this study, we developed Permium, a web browser analysis framework that automatically analyzes the behavior of permission mechanisms implemented by various browsers. We systematically studied the behavior of permission mechanisms for 22 major browser implementations running on five different operating systems. We found fragmented implementations. Implementations between browsers running on different operating systems are not always identical. We determined that implementation inconsistencies could lead to privacy risks. We identified gaps between browser permission implementations and user perceptions from the user study corresponding to the analyses using Permium. Based on the implementation inconsistencies, we developed two proof-of-concept attacks and evaluated their feasibility. The first attack uses permission information to secretly track the user. The second attack aims to create a situation in which the user cannot correctly determine the origin of the permission request and the user mistakenly grants permission. Finally, we clarify the technical issues that must be standardized in privacy mechanisms and provide recommendations to OS/browser vendors to mitigate the threats identified in this study.