Analysis of insecure configurations in Chrome Web Store extensions: Impact on user security and privacy
Abstract
Browser extensions, popular for enhancing functionality, pose risks to user privacy and security. This study analyzes insecure configurations in Chrome Web Store extensions, assessing their functional justification. Auditing 287 extensions revealed that many employ excessive permissions or unnecessary access to sensitive data without clear justification. Findings show that risky practices persist even in widely used tools, highlighting flaws in app stores’ verification processes. The research provides empirical evidence of these issues and advocates for stricter policies for developers, platforms, and regulators to balance functionality and security in the ecosystem.References
Allauddin, M. S. and Lokhande, P. S. (2024). Analyzing security risks in browser extension search tools: A literature review. SSRN Electronic Journal.
Carlini, N., Felt, A. P., and Wagner, D. (2012). An evaluation of the google chrome extension security architecture. In 21st USENIX Security Symposium (USENIX Security 12), pages 97–111.
Eriksson, B., Picazo-Sanchez, P., and Sabelfeld, A. (2022). Hardening the security analysis of browser extensions. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC ’22, page 1694–1703, New York, NY, USA. Association for Computing Machinery.
Google Chrome Developers (2023a). Manifest v3 migration guide. Acesso em: 10 jul. 2024.
Google Chrome Developers (2023b). Match patterns - chrome developers. Acesso em: 10 jul. 2024.
Hsu, S., Tran, M., and Fass, A. (2024). What is in the chrome web store? In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 785–798, New York, NY, USA. Association for Computing Machinery.
Johnson, C. A., Paramiswaran, S., and Mailewa, A. B. Discovering vulnerabilities in web browser extensions contained by google chrome.
Kim, Y. M. and Lee, B. (2023). Extending a hand to attackers: browser privilege escalation attacks via extensions. In 32nd usenix security symposium (usenix security 23), pages 7055–7071.
Malgieri, G. and Custers, B. (2017). Pricing privacy – the right to know the value of your personal data. Leiden Law School Legal Studies Research Paper Series.
Nguyen, C. O. Y. Z. R. (2018). Analysis of vulnerabilities of web browser extensions. In 2018 International Conference on Computational Science and Computational Intelligence (CSCI), pages 116–119. IEEE.
Pantelaios, N. and Kapravelos, A. (2024). Manifest v3 unveiled: Navigating the new era of browser extensions. ArXiv, abs/2404.08310.
Perrotta, R. and Hao, F. (2017). Botnet in the browser: Understanding threats caused by malicious browser extensions. IEEE Security Privacy, 16:66–81.
Picazo-Sanchez, P., Eriksson, B., and Sabelfeld, A. (2022). No signal left to chance: Driving browser extension analysis by download patterns. In Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC ’22, page 896–910, New York, NY, USA. Association for Computing Machinery.
Sam, J. and Jenifer, J. A. (2023). Mitigating the security risks of browser extensions. In 2023 International Conference on Sustainable Computing and Smart Systems (IC-SCSS), pages 1460–1465. IEEE.
Senapati, B., Naeem, A. B., Khan, T. A., Golder, S. S., Das, S., Mondal, S., Mishra, L. N., and Patra, S. (2024). A study on web user’s attitude and knowledge towards data security and privacy issues of web browser extensions. In 2024 4th International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME), pages 1–8. IEEE.
Somé, D. F. (2019). Empoweb: Empowering web applications with browser extensions. 2019 IEEE Symposium on Security and Privacy (SP), pages 227–245.
Vila, E., Novakova, G., and Todorova, D. (2017). Automation testing framework for web applications with selenium webdriver: Opportunities and threats. In Proceedings of the International Conference on Advances in Image Processing, pages 144–150.
Carlini, N., Felt, A. P., and Wagner, D. (2012). An evaluation of the google chrome extension security architecture. In 21st USENIX Security Symposium (USENIX Security 12), pages 97–111.
Eriksson, B., Picazo-Sanchez, P., and Sabelfeld, A. (2022). Hardening the security analysis of browser extensions. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC ’22, page 1694–1703, New York, NY, USA. Association for Computing Machinery.
Google Chrome Developers (2023a). Manifest v3 migration guide. Acesso em: 10 jul. 2024.
Google Chrome Developers (2023b). Match patterns - chrome developers. Acesso em: 10 jul. 2024.
Hsu, S., Tran, M., and Fass, A. (2024). What is in the chrome web store? In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 785–798, New York, NY, USA. Association for Computing Machinery.
Johnson, C. A., Paramiswaran, S., and Mailewa, A. B. Discovering vulnerabilities in web browser extensions contained by google chrome.
Kim, Y. M. and Lee, B. (2023). Extending a hand to attackers: browser privilege escalation attacks via extensions. In 32nd usenix security symposium (usenix security 23), pages 7055–7071.
Malgieri, G. and Custers, B. (2017). Pricing privacy – the right to know the value of your personal data. Leiden Law School Legal Studies Research Paper Series.
Nguyen, C. O. Y. Z. R. (2018). Analysis of vulnerabilities of web browser extensions. In 2018 International Conference on Computational Science and Computational Intelligence (CSCI), pages 116–119. IEEE.
Pantelaios, N. and Kapravelos, A. (2024). Manifest v3 unveiled: Navigating the new era of browser extensions. ArXiv, abs/2404.08310.
Perrotta, R. and Hao, F. (2017). Botnet in the browser: Understanding threats caused by malicious browser extensions. IEEE Security Privacy, 16:66–81.
Picazo-Sanchez, P., Eriksson, B., and Sabelfeld, A. (2022). No signal left to chance: Driving browser extension analysis by download patterns. In Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC ’22, page 896–910, New York, NY, USA. Association for Computing Machinery.
Sam, J. and Jenifer, J. A. (2023). Mitigating the security risks of browser extensions. In 2023 International Conference on Sustainable Computing and Smart Systems (IC-SCSS), pages 1460–1465. IEEE.
Senapati, B., Naeem, A. B., Khan, T. A., Golder, S. S., Das, S., Mondal, S., Mishra, L. N., and Patra, S. (2024). A study on web user’s attitude and knowledge towards data security and privacy issues of web browser extensions. In 2024 4th International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME), pages 1–8. IEEE.
Somé, D. F. (2019). Empoweb: Empowering web applications with browser extensions. 2019 IEEE Symposium on Security and Privacy (SP), pages 227–245.
Vila, E., Novakova, G., and Todorova, D. (2017). Automation testing framework for web applications with selenium webdriver: Opportunities and threats. In Proceedings of the International Conference on Advances in Image Processing, pages 144–150.
Published
2025-09-01
How to Cite
SILVA, José R. S.; SILVA, Luiz H. B. A.; SILVA, Vitória B. A.; DAMASCENO, Maria Gabriela Lima; SOUZA, Caio B. de; BALIEIRO, Andson.
Analysis of insecure configurations in Chrome Web Store extensions: Impact on user security and privacy. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 83-96.
DOI: https://doi.org/10.5753/sbseg.2025.11487.
