Study Finds Thousands of Browser Extensions Compromise User Data

Browser extensions, the software add-ons that help users customize and enhance their web browsers, are wildly popular. Some of the most-used extensions find shopping deals, fix grammar and typos, manage passwords, or translate web pages. The types of extensions available are nearly endless, and many have become indispensable tools for businesses and everyday users.

While these extensions can make web browsing more accessible, productive, and rewarding, they are not without risk. New research from Georgia Tech reveals that thousands of browser extensions pose significant threats to privacy, and hundreds automatically extract private user content from within webpages - affecting millions of internet users.

Led by Frank Li, assistant professor in the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering, and Ph.D. student Qinge Xie, a team of researchers developed a new system that monitors if and how browser extensions collect user content from webpages. The team, which also includes Paul Pearce, assistant professor in the School of Cybersecurity and Privacy and the School of Computer Science, and Manoj Vignesh Kasi Murali, a Georgia Tech M.S. alumnus, presented their research paper at the Usenix Security Symposium, a top cybersecurity conference, in August.

"We know from prior research that browser extensions collect users' browser activity and history, but some of the most sensitive user data is located within webpages, such as emails, social media profiles, medical records, banking information, and more," Li said. "We wanted to know if extensions are also collecting personal data from these webpages."

The team designed a web framework, Arcanum, to test whether extensions automatically extract user data from webpages. They used the system to study every functional extension - more than 100,000 - available in the Chrome Web Store. Specifically, they used the system to monitor whether the extensions extracted user data from seven popular websites known to contain sensitive information: Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook, and PayPal.

The researchers observed that browser extension collection of potentially sensitive and private data is pervasive. They identified more than 3,000 browser extensions that automatically collect user-specific data, affecting tens of millions of users. More than 200 extensions directly took sensitive user data from webpages and uploaded it to servers.

Browser extensions do sometimes collect user data for legitimate reasons - for example, when the data collected is related to the extension's functionality or purpose. For this reason, it can be challenging to identify the intent behind the extension's data collection behavior.

To investigate further, the researchers took a sample group of the flagged extensions and compared each extension's data collection behavior to its privacy policy and web store description, which are supposed to explain how the extension is used and what information it will collect. This allowed the researchers to investigate whether users would reasonably expect extensions to automatically collect their data as part of their function.

In this sample group, the researchers found that none of them clearly described the automated user data collection in their privacy policy or web store description.

"Unfortunately, the same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy, and potentially without users' knowledge or explicit consent," Xie said. "Even in cases where data collection is benign and necessary for legitimate functionality, it introduces privacy risks. Sensitive user data can be transmitted and stored by a third party, which may further share the data or possibly leak the data during a data breach."

According to the researchers, their findings suggest that companies like Google could develop stricter privacy policies for extensions or more broadly enforce existing policies. Major companies whose users' sensitive data is being collected could also increase measures to protect their customers.

"I don't believe individual users should have to bear the burden of worrying about their privacy or protecting their data, because they may not have the capability or technical knowledge to figure out what's happening," Li said. "The goal of this type of work is to bring these issues to the organizations or stakeholders that can influence data collection, in hopes that it can guide them in enhancing user privacy."

Citation: Xie, et al. "Arcanum: Detecting and Evaluating the Privacy Risks of Browser Extensions on Web Pages and Web Content," 33rd USENIX Security Symposium, August 14-16, 2024.

Frank Li, assistant professor in the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering, and Qinge Xie, a Ph.D. student in the School of Cybersecurity and Privacy.