Bloated browsers the cause of many web security risks, suggest researchers

Bloated browsers raising security risks for users

Bloated web browsers carrying features that users barely even use, let alone understand, are causing multiple new security and privacy risks, researchers have claimed.

The researchers claim that web browser developers are constantly adding new capabilities, but many of them aren't used and need substantial security mechanisms to protect users.

Peter Snyder, a graduate student of computer science at the University of Illinois at Chicago, and his colleagues explored the costs and benefits associated with 74 different types of functionality.

Collectively called web application programming interfaces (web APIs), the scientists believe that these technologies are posing "substantial security and privacy risks" to web surfers.

Blocking website access to such functionality, the researcher said, would minimise these risks. They measured how much these features are used and how they pose a risk to security.

Features that are of low benefit to users, but which pose high security risks, should be blocked to improve user safety, Snyder suggested.

"For example, browsers allow websites to perform low-level graphics calculations," he said. "We found that this functionality is rarely used on honest websites, but that malicious sites can use it to harm users' privacy and security."

An example of a high-risk, low-benefit functionality included code capable of detecting room light levels and performing fine-grained timing operations.

During the study, Synder and his team used Firefox as the test browser. They selected it because it's one of the most popular, open-source browsers available.

Firefox has an "almost identical" range of features and capabilities when compared to browsers such as Chrome and Internet Explorer, meaning that these results would be similar across the board.

"Ultimately we saw that about 25 per cent of web APIs posed high risks to security and privacy and could be blocked without breaking websites," Snyder said. "The less code you have available through the web API, the safer websites you'll have."

As a result of their findings, Synder and his team have created a browser extension that enables users to block superfluous browser functionality in a bid to improve security. Brave, which promotes safer web browsing, will incorporate aspects of the research into its own web browser.

Cynthia Taylor and Chris Kanich, assistant professors of computer science at UIC, worked with Synder on the study. They'll present the research at the Association for Computing Machinery Conference on Computer and Communications Security in Dallas on 31 October.