Relatore: Dr Aurore Fass

Affiliazione: CISPA Helmholtz Center for

Information Security

Abstract Browser extensions are popular to enhance user browsing
experience: they offer **additional functionality** to Web users, such as ad
blocking, grammar checks, or password management. To operate, browser
extensions need **elevated privileges** compared to web pages. This,
unfortunately, makes browser extensions an attractive target for attackers. In
fact, when used "maliciously", browser extensions can **pose a significant
threat to Web users**.
But how can extensions put the security and privacy of Web users at risk?
How many dangerous extensions have been in the Chrome Web Store? How
can we detect dangerous extensions?
In this presentation, I will answer these questions. I will first define classes of
"Security-Noteworthy Extensions" (SNE) that can harm users. Then, I will
focus on vulnerable extensions and present DoubleX, our open-source static
analyzer that detects vulnerable data flows in browser extensions with high
precision (89%) and recall (93%). Through this talk, I aim to raise awareness
about the risks posed by browser extensions and discuss strategies for
mitigating such threats.

Time and location: December 18, 2024, 2 p.m.; Room L1.4, Building
MO17 (Physics Building) Dept. FIM – Via Campi 213/b – Modena
Short bio Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz
Center for Information Security. She got her Ph.D. from CISPA &
Saarland University in 2021. From 2021–2023, she was a Visiting
Assistant Professor of Computer Science at Stanford University.
Aurore's research broadly focuses on Web Security & Privacy and
Web Measurements.

Host: Mauro Leoncini