kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
CodeX: Contextual Flow Tracking for Browser Extensions
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. Chalmers University of Technology, Gothenburg, Sweden; University of Gothenburg Gothenburg, Sweden.ORCID iD: 0000-0001-5365-0662
LMU Munich, Munich, Germany.ORCID iD: 0009-0003-8823-0029
Chalmers University of Technology, Gothenburg, Sweden; Gothenburg, Sweden, University of Gothenburg, Gothenburg, Sweden; Mälardalen University, Västerås, Sweden.ORCID iD: 0000-0002-6621-8390
LMU Munich, Munich, Germany.ORCID iD: 0000-0002-8594-7839
Show others and affiliations
2025 (English)In: Proceedings of the Fifteenth ACM Conference on Data and Application Security and Privacy, CODASPY 2025, Association for Computing Machinery (ACM) , 2025Conference paper, Published paper (Refereed)
Abstract [en]

Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.
Place, publisher, year, edition, pages
Association for Computing Machinery (ACM) , 2025.
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:kth:diva-364834DOI: 10.1145/3714393.3726495ISI: 001527521500003Scopus ID: 2-s2.0-105011342229OAI: oai:DiVA.org:kth-364834DiVA, id: diva2:1970337
Conference
Fifteenth ACM Conference on Data and Application Security and Privacy, CODASPY 2025, Pittsburgh, PA, USA, June 4-6, 2025
Note

QC 20250616

Available from: 2025-06-16 Created: 2025-06-16 Last updated: 2025-12-08Bibliographically approved

Open Access in DiVA

codex-2025(635 kB)85 downloads
File information
File name FULLTEXT01.pdfFile size 635 kBChecksum SHA-512
e22908adf546ae3357ef201fe235d03be79ccad62966f88fd49d14701dc3870560339fa375c136b1528c22bc0cbd99d256388dc3a43915748be5c1d4843453d3
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Ahmadpanah, Mohammad M.

Search in DiVA

By author/editor
Ahmadpanah, Mohammad M.Gobbi, Matías F.Hedin, DanielKinder, JohannesSabelfeld, Andrei
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 85 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 282 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access