CodeX: Contextual Flow Tracking for Browser Extensions
Paper in proceeding, 2025

Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.

Author

Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Matías F. Gobbi

Ludwig Maximilian University of Munich (LMU)

Daniel Hedin

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Johannes Kinder

Ludwig Maximilian University of Munich (LMU)

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

ACM Conference on Data and Application Security and Privacy

4007-1476 (ISSN)

the 15th ACM Conference on Data and Application Security and Privacy (CODASPY)
Pittsburgh, PA, USA,

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Subject Categories (SSIF 2025)

Computer and Information Sciences

DOI

10.1145/3714393.3726495

More information

Latest update

4/2/2025 1