Vetting browser extensions for security vulnerabilities with Vex

Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, Marianne Winslett

Research output: Contribution to journalArticlepeer-review


The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.

Original languageEnglish (US)
Pages (from-to)91-99
Number of pages9
JournalCommunications of the ACM
Issue number9
StatePublished - Sep 2011

ASJC Scopus subject areas

  • Computer Science(all)


Dive into the research topics of 'Vetting browser extensions for security vulnerabilities with Vex'. Together they form a unique fingerprint.

Cite this