Related papers: What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions

What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions

URL: http://arxiv.org/abs/2406.12710v1
Date: Tue, 18 Jun 2024 15:25:06 GMT
Title: What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions
Authors: Sheryl Hsu, Manda Tran, Aurore Fass,
Abstract summary: This paper is the first attempt at providing a holistic view of the Chrome Web Store (CWS) We leverage historical data provided by ChromeStats to study global trends in the CWS and security implications.
Score: 1.2499537119440243
License: http://creativecommons.org/licenses/by-nc-sa/4.0/
Abstract: This paper is the first attempt at providing a holistic view of the Chrome Web Store (CWS). We leverage historical data provided by ChromeStats to study global trends in the CWS and security implications. We first highlight the extremely short life cycles of extensions: roughly 60% of extensions stay in the CWS for one year. Second, we define and show that Security-Noteworthy Extensions (SNE) are a significant issue: they pervade the CWS for years and affect almost 350 million users. Third, we identify clusters of extensions with a similar code base. We discuss how code similarity techniques could be used to flag suspicious extensions. By developing an approach to extract URLs from extensions' comments, we show that extensions reuse code snippets from public repositories or forums, leading to the propagation of dated code and vulnerabilities. Finally, we underline a critical lack of maintenance in the CWS: 60% of the extensions in the CWS have never been updated; half of the extensions known to be vulnerable are still in the CWS and still vulnerable 2 years after disclosure; a third of extensions use vulnerable library versions. We believe that these issues should be widely known in order to pave the way for a more secure CWS.

Related papers

Consent in Crisis: The Rapid Decline of the AI Data Commons [74.68176012363253]
General-purpose artificial intelligence (AI) systems are built on massive swathes of public web data. We conduct the first, large-scale, longitudinal audit of the consent protocols for the web domains underlying AI training corpora.
arXiv Detail & Related papers (2024-07-20T16:50:18Z)
Did I Vet You Before? Assessing the Chrome Web Store Vetting Process through Browser Extension Similarity [3.7980955101286322]
We characterize the prevalence of malware and other infringing extensions in the Chrome Web Store (CWS), the largest distribution platform for this type of software. Our study reveals significant gaps in the CWS vetting process, as 86% of infringing extensions are extremely similar to previously vetted items. Our study also reveals that only 1% of malware extensions flagged by the CWS are detected as malicious by anti-malware engines.
arXiv Detail & Related papers (2024-06-01T09:17:01Z)
FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques [53.288368877654705]
FV8 is a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code. It selectively enforces code execution on APIs that conditionally inject dynamic code. It identifies 1,443 npm packages and 164 (82%) extensions containing at least one type of evasion.
arXiv Detail & Related papers (2024-05-21T19:54:19Z)
EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data. While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated. We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
arXiv Detail & Related papers (2024-05-21T06:14:49Z)
Towards Browser Controls to Protect Cookies from Malicious Extensions [5.445001663133085]
Cookies are valuable targets of attacks that attempt to steal them and gain unauthorized access to user accounts. Extensions are third-party HTML/JavaScript add-ons with access to several privileged APIs and can run on multiple websites at once. We propose browser controls based on two new cookie attributes that protect cookies from malicious extensions: BrowserOnly and Tracked.
arXiv Detail & Related papers (2024-05-10T22:04:56Z)
Manifest V3 Unveiled: Navigating the New Era of Browser Extensions [53.288368877654705]
In 2020, Google announced a shift in extension development with Manifest Version 3 (V3), aiming to replace the previous Version 2 (V2) by January 2023. This paper presents a comprehensive analysis of the Manifest V3 ecosystem.
arXiv Detail & Related papers (2024-04-12T08:09:26Z)
Impact of Extensions on Browser Performance: An Empirical Study on Google Chrome [3.000496428347787]
We conduct an empirical study to understand the impact of extensions on the user-perceived performance of Google Chrome. We observe that browser performance can be negatively impacted by the use of extensions, even when the extensions are used in unintended circumstances. We identify a set of factors that significantly influence the performance impact of extensions, such as code complexity and privacy practices.
arXiv Detail & Related papers (2024-04-10T08:31:40Z)
Exposing and Addressing Security Vulnerabilities in Browser Text Input Fields [22.717150034358948]
We perform a comprehensive analysis of the security of text input fields in web browsers. We find that browsers' coarse-grained permission model violates two security design principles. We uncover two vulnerabilities in input fields, including the alarming discovery of passwords in plaintext.
arXiv Detail & Related papers (2023-08-30T21:02:48Z)
Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z)
Reinforcement Learning on Encrypted Data [58.39270571778521]
We present a preliminary, experimental study of how a DQN agent trained on encrypted states performs in environments with discrete and continuous state spaces. Our results highlight that the agent is still capable of learning in small state spaces even in presence of non-deterministic encryption, but performance collapses in more complex environments.
arXiv Detail & Related papers (2021-09-16T21:59:37Z)

This list is automatically generated from the titles and abstracts of the papers in this site.