CodeX: Contextual Flow Tracking for Browser Extensions
Paper in proceeding, 2025
Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.
Author
Seyed Mohammad Mehdi Ahmadpanah
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Matías F. Gobbi
Ludwig Maximilian University of Munich (LMU)
Daniel Hedin
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Johannes Kinder
Ludwig Maximilian University of Munich (LMU)
Andrei Sabelfeld
Chalmers, Computer Science and Engineering (Chalmers), Information Security
ACM Conference on Data and Application Security and Privacy
4007-1476 (ISSN)
the 15th ACM Conference on Data and Application Security and Privacy (CODASPY)
Pittsburgh, PA, USA,
Pittsburgh, PA, USA,
WebSec: Securing Web-driven Systems
Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.
Subject Categories (SSIF 2025)
Computer and Information Sciences
DOI
10.1145/3714393.3726495