CodeX: Contextual Flow Tracking for Browser Extensions
Paper i proceeding, 2025
Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.
Författare
Seyed Mohammad Mehdi Ahmadpanah
Chalmers, Data- och informationsteknik, Informationssäkerhet
Matías F. Gobbi
Ludwig-Maximilians-Universität München (LMU)
Daniel Hedin
Chalmers, Data- och informationsteknik, Informationssäkerhet
Johannes Kinder
Ludwig-Maximilians-Universität München (LMU)
Andrei Sabelfeld
Chalmers, Data- och informationsteknik, Informationssäkerhet
ACM Conference on Data and Application Security and Privacy
4007-1476 (ISSN)
the 15th ACM Conference on Data and Application Security and Privacy (CODASPY)
Pittsburgh, PA, USA,
Pittsburgh, PA, USA,
WebSec: Säkerhet i webb-drivna system
Stiftelsen för Strategisk forskning (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.
Ämneskategorier (SSIF 2025)
Data- och informationsvetenskap (Datateknik)
DOI
10.1145/3714393.3726495