Browser Extension (In)Security

Mercoledì 18 Dicembre 2024 14:00

Relatore: Dr Aurore Fass, CISPA Helmholtz Center for Information Security
Time and location: December 18, 2024, 2 p.m.; Room L1.4, Building MO17 (Physics Building) Dept. FIM – Via Campi 213/b – Modena

Abstract: Browser extensions are popular to enhance user browsing experience: they offer additional functionality to Web users, such as ad blocking, grammar checks, or password management. To operate, browser extensions need elevated privileges compared to web pages. This, unfortunately, makes browser extensions an attractive target for attackers. In fact, when used "maliciously", browser extensions can pose a significant threat to Web users. But how can extensions put the security and privacy of Web users at risk? How many dangerous extensions have been in the Chrome Web Store? How can we detect dangerous extensions?

In this presentation, I will answer these questions. I will first define classes of "Security-Noteworthy Extensions" (SNE) that can harm users. Then, I will focus on vulnerable extensions and present DoubleX, our open-source static analyzer that detects vulnerable data flows in browser extensions with high precision (89%) and recall (93%). Through this talk, I aim to raise awareness about the risks posed by browser extensions and discuss strategies for mitigating such threats.

Short bio: Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security. She got her Ph.D. from CISPA &
Saarland University in 2021. From 2021–2023, she was a Visiting Assistant Professor of Computer Science at Stanford University. Aurore's research broadly focuses on Web Security & Privacy and Web Measurements.
 

Autore: Costantino GRANA - Ultima modifica: Venerdì 13 Dicembre 2024 12:00