VEX: Vetting browser extensions for security vulnerabilities

Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The browser has become the de facto platform for everyday computation. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which does not scale well and is subject to human error. In this paper, we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions. We describe several patterns of flows as well as unsafe programming practices that may lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We analyze thousands of browser extensions, and VEX finds six exploitable vulnerabilities, three of which were previously unknown. VEX also finds hundreds of examples of bad programming practices that may lead to security vulnerabilities. We show that compared to current Mozilla extension review tools, VEX greatly reduces the human burden for manually vetting extensions when looking for key types of dangerous flows.

Original languageEnglish (US)
Title of host publicationProceedings of the 19th USENIX Security Symposium
PublisherUSENIX Association
Number of pages16
ISBN (Electronic)9781931971775
StatePublished - 2010
Event19th USENIX Security Symposium - Washington, United States
Duration: Aug 11 2010Aug 13 2010

Publication series

NameProceedings of the 19th USENIX Security Symposium


Conference19th USENIX Security Symposium
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'VEX: Vetting browser extensions for security vulnerabilities'. Together they form a unique fingerprint.

Cite this