CodeX: Contextual Flow Tracking for Browser Extensions
by Mohammad M. Ahmadpanah, MatÃas F. Gobbi, Daniel Hedin, Johannes Kinder, Andrei Sabelfeld.
In Proceedings of the 15th ACM Conference on Data and Application Security and Privacy (CODASPY), June 2025.
Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, privacy-violating extensions still thrive in the official stores. We propose an approach for tracking contextual flows from browser-specific sensitive sources like cookies, browsing history, bookmarks, and search terms to suspicious network sinks through network requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that leverages the power of CodeQL while breaking away from the conservativeness of bug-finding flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published on the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky flows. Manual verification of 339 of those extensions resulted in flagging 212 as privacy-violating, impacting up to 3.6M users.
[Paper] [Full version] [Materials]