{"676885":{"#nid":"676885","#data":{"type":"news","title":"Study Finds Thousands of Browser Extensions Compromise User Data","body":[{"value":"\u003Cp\u003EBrowser extensions, the software add-ons that help users customize and enhance their web browsers, are wildly popular. Some of the most-used extensions find shopping deals, fix grammar and typos, manage passwords, or translate web pages. The types of extensions available are nearly endless, and many have become indispensable tools for businesses and everyday users.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EWhile these extensions can make web browsing more accessible, productive, and rewarding, they are not without risk. New research from Georgia Tech reveals that thousands of browser extensions pose significant threats to privacy, and hundreds automatically extract private user content from within webpages \u2014 affecting millions of internet users.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003ELed by \u003Ca href=\u0022https:\/\/ece.gatech.edu\/directory\/frank-li\u0022\u003EFrank Li\u003C\/a\u003E, assistant professor in the \u003Ca href=\u0022https:\/\/scp.cc.gatech.edu\/\u0022\u003ESchool of Cybersecurity and Privacy\u003C\/a\u003E and the \u003Ca href=\u0022https:\/\/ece.gatech.edu\/\u0022\u003ESchool of Electrical and Computer Engineering\u003C\/a\u003E, and Ph.D. student Qinge Xie, a team of researchers developed a new system that monitors if and how browser extensions collect user content from webpages. The team, which also includes Paul Pearce, assistant professor in the School of Cybersecurity and Privacy and the School of Computer Science, and Manoj Vignesh Kasi Murali, a Georgia Tech M.S. alumnus, presented \u003Ca\u003Etheir\u003C\/a\u003E \u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/xie-qinge\u0022\u003Eresearch paper\u003C\/a\u003E at the \u003Ca href=\u0022https:\/\/sites.gatech.edu\/research\/usenix-security-2024\/\u0022\u003EUsenix Security Symposium\u003C\/a\u003E, a top cybersecurity conference, in August.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u201cWe know from prior research that browser extensions collect users\u2019 browser activity and history, but some of the most sensitive user data is located within webpages, such as emails, social media profiles, medical records, banking information, and more,\u201d Li said. \u201cWe wanted to know if extensions are also collecting personal data from these webpages.\u201d\u003C\/p\u003E\u003Cp\u003EThe team designed a web framework, Arcanum, to test whether extensions automatically extract user data from webpages. They used the system to study every functional extension \u2014 more than 100,000 \u2014 available in the Chrome Web Store. Specifically, they used the system to monitor whether the extensions extracted user data from seven popular websites known to contain sensitive information: Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook, and PayPal.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EThe researchers observed that browser extension collection of potentially sensitive and private data is pervasive. They identified more than 3,000 browser extensions that automatically collect user-specific data, affecting tens of millions of users. More than 200 extensions directly took sensitive user data from webpages and uploaded it to servers.\u003C\/p\u003E\u003Cp\u003EBrowser extensions do sometimes collect user data for legitimate reasons \u2014 for example, when the data collected is related to the extension\u2019s functionality or purpose. For this reason, it can be challenging to identify the intent behind the extension\u2019s data collection behavior.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003ETo investigate further, the researchers took a sample group of the flagged extensions and compared each extension\u2019s data collection behavior to its privacy policy and web store description, which are supposed to explain how the extension is used and what information it will collect. This allowed the researchers to investigate whether users would reasonably expect extensions to automatically collect their data as part of their function.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EIn this sample group, the researchers found that none of them clearly described the automated user data collection in their privacy policy or web store description.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u201cUnfortunately, the same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy, and potentially without users\u2019 knowledge or explicit consent,\u201d Xie said. \u201cEven in cases where data collection is benign and necessary for legitimate functionality, it introduces privacy risks. Sensitive user data can be transmitted and stored by a third party, which may further share the data or possibly leak the data during a data breach.\u201d\u003C\/p\u003E\u003Cp\u003EAccording to the researchers, their findings suggest that companies like Google could develop stricter privacy policies for extensions or more broadly enforce existing policies. Major companies whose users\u2019 sensitive data is being collected could also increase measures to protect their customers.\u003C\/p\u003E\u003Cp\u003E\u201cI don\u2019t believe individual users should have to bear the burden of worrying about their privacy or protecting their data, because they may not have the capability or technical knowledge to figure out what\u2019s happening,\u201d Li said. \u201cThe goal of this type of work is to bring these issues to the organizations or stakeholders that can influence data collection, in hopes that it can guide them in enhancing user privacy.\u201d\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003ECitation\u003C\/strong\u003E: Xie, et al. \u201c\u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/xie-qinge\u0022\u003EArcanum: Detecting and Evaluating the Privacy Risks of Browser Extensions on Web Pages and Web Content\u003C\/a\u003E,\u201d 33rd USENIX Security Symposium, August 14\u201316, 2024.\u003C\/p\u003E","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EResearch from Georgia Tech reveals thousands of browser extensions pose significant privacy risks by extracting sensitive user data from web pages, highlighting a need for stricter privacy measures and better enforcement.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Research from Georgia Tech reveals thousands of browser extensions pose significant privacy risks by extracting sensitive user data from web pages, highlighting a need for stricter privacy measures and better enforcement."}],"uid":"36123","created_gmt":"2024-09-17 15:58:54","changed_gmt":"2024-09-17 16:24:43","author":"Catherine Barzler","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2024-09-17T00:00:00-04:00","iso_date":"2024-09-17T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"674995":{"id":"674995","type":"image","title":"privacypolicy.png","body":"\u003Cp\u003EThousands of browser extensions extract sensitive data without explicit user consent, and do so without even mentioning data collection in their privacy policies and web store descriptions. (Credit: Getty Images)\u003C\/p\u003E","created":"1726588739","gmt_created":"2024-09-17 15:58:59","changed":"1726588739","gmt_changed":"2024-09-17 15:58:59","alt":"A screenshot of a privacy policy acknowledgement","file":{"fid":"258574","name":"GettyImages-1405666254.png","image_path":"\/sites\/default\/files\/2024\/09\/17\/GettyImages-1405666254.png","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2024\/09\/17\/GettyImages-1405666254.png","mime":"image\/png","size":2218015,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2024\/09\/17\/GettyImages-1405666254.png?itok=KrqM_4DN"}},"674996":{"id":"674996","type":"image","title":"li and xie.png","body":"\u003Cp\u003EFrank Li, assistant professor in the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering, and Qinge Xie, a Ph.D. student in the School of Cybersecurity and Privacy.\u003C\/p\u003E","created":"1726590068","gmt_created":"2024-09-17 16:21:08","changed":"1726590068","gmt_changed":"2024-09-17 16:21:08","alt":"Frank Li and Qinge Xie","file":{"fid":"258576","name":"li and xie.png","image_path":"\/sites\/default\/files\/2024\/09\/17\/li%20and%20xie_0.png","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2024\/09\/17\/li%20and%20xie_0.png","mime":"image\/png","size":2234591,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2024\/09\/17\/li%20and%20xie_0.png?itok=p3j8TScx"}}},"media_ids":["674995","674996"],"groups":[{"id":"1214","name":"News Room"},{"id":"1188","name":"Research Horizons"}],"categories":[],"keywords":[{"id":"187915","name":"go-researchnews"}],"core_research_areas":[],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ECatherine Barzler, Senior Research Writer\/Editor\u003C\/p\u003E\u003Cp\u003E\u003Ca href=\u0022mailto:catherine.barzler@gatech.edu\u0022\u003Ecatherine.barzler@gatech.edu\u003C\/a\u003E\u003C\/p\u003E","format":"limited_html"}],"email":["catherine.barzler@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}