CodeX: Contextual Flow Tracking for Browser Extensions
Paper i proceeding, 2025

Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.

Författare

Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Data- och informationsteknik, Informationssäkerhet

Matías F. Gobbi

Ludwig-Maximilians-Universität München (LMU)

Daniel Hedin

Chalmers, Data- och informationsteknik, Informationssäkerhet

Johannes Kinder

Ludwig-Maximilians-Universität München (LMU)

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Informationssäkerhet

ACM Conference on Data and Application Security and Privacy

4007-1476 (ISSN)

the 15th ACM Conference on Data and Application Security and Privacy (CODASPY)
Pittsburgh, PA, USA,

WebSec: Säkerhet i webb-drivna system

Stiftelsen för Strategisk forskning (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Ämneskategorier (SSIF 2025)

Data- och informationsvetenskap (Datateknik)

DOI

10.1145/3714393.3726495

Mer information

Senast uppdaterat

2025-04-02