{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T08:03:03Z","timestamp":1761897783569,"version":"3.37.3"},"reference-count":42,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2022,9,4]],"date-time":"2022-09-04T00:00:00Z","timestamp":1662249600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,9,4]],"date-time":"2022-09-04T00:00:00Z","timestamp":1662249600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Swedish Foundation for Strategic Research"},{"DOI":"10.13039\/501100004359","name":"Swedish Research Council","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100004359","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Extensions are small applications installed by users and enrich the user experience of browsing the Internet. Browsers expose a set of restricted APIs to extensions. To be used, extensions need to list the permissions associated with these APIs in a mandatory extension file named manifest. In particular, Chrome\u2019s permission ecosystem was designed in the spirit of the least privilege. Yet, this paper demonstrates that 39.8% of the analyzed extensions provided by the official Web Store are compliant with the spirit of least privilege. Also, we develop: (1) a browser extension to make aware regular users of the permissions the extensions they install; (2) a web app where extensions developers can check whether their extensions are compliant with the spirit of the least privileged; and (3) a set of scripts that can be part of the vendors\u2019 acceptance criteria such that when developers upload their extensions to the official repositories, the scripts automatically analyze the extensions and generate a report about the permissions and the usage.<\/jats:p>","DOI":"10.1007\/s10207-022-00610-w","type":"journal-article","created":{"date-parts":[[2022,9,4]],"date-time":"2022-09-04T02:02:20Z","timestamp":1662256940000},"page":"1283-1297","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Are chrome extensions compliant with the spirit of least privilege?"],"prefix":"10.1007","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0303-3858","authenticated-orcid":false,"given":"Pablo","family":"Picazo-Sanchez","sequence":"first","affiliation":[]},{"given":"Lara","family":"Ortiz-Martin","sequence":"additional","affiliation":[]},{"given":"Gerardo","family":"Schneider","sequence":"additional","affiliation":[]},{"given":"Andrei","family":"Sabelfeld","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,9,4]]},"reference":[{"key":"610_CR1","doi-asserted-by":"crossref","unstructured":"Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: Euro S &P, pp. 47\u201361 (2018)","DOI":"10.1109\/EuroSP.2018.00012"},{"key":"610_CR2","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1016\/j.infsof.2018.10.006","volume":"106","author":"A Ampatzoglou","year":"2019","unstructured":"Ampatzoglou, A., Bibi, S., Avgeriou, P., Verbeek, M., Chatzigeorgiou, A.: Identifying, categorizing and mitigating threats to validity in software engineering secondary studies. Inf. Softw. Technol. 106, 201\u2013230 (2019)","journal-title":"Inf. Softw. Technol."},{"key":"610_CR3","doi-asserted-by":"crossref","unstructured":"Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: RAID, pp. 415\u2013436 (2016)","DOI":"10.1007\/978-3-319-45719-2_19"},{"key":"610_CR4","unstructured":"Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX, pp. 339\u2013354 (2010)"},{"key":"610_CR5","unstructured":"Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)"},{"key":"610_CR6","doi-asserted-by":"crossref","unstructured":"Barua, A., Zulkernine, M., Weldemariam, K.: Protecting web browser extensions from javascript injection attacks. In: ICECCS, pp. 188\u2013197 (2013)","DOI":"10.1109\/ICECCS.2013.36"},{"key":"610_CR7","unstructured":"Browser support for JavaScript APIs. https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/Browser_support_for_JavaScript_APIs"},{"key":"610_CR8","unstructured":"Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX, pp. 97\u2013111 (2012)"},{"key":"610_CR9","doi-asserted-by":"crossref","unstructured":"Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: CCS, pp. 1687\u20131700 (2018)","DOI":"10.1145\/3243734.3243823"},{"key":"610_CR10","unstructured":"Moving forward from chrome apps. https:\/\/blog.chromium.org\/2020\/01\/moving-forward-from-chrome-apps.html"},{"key":"610_CR11","unstructured":"CRXcavator: Democratizing chrome extension security. https:\/\/duo.com\/blog\/crxcavator"},{"key":"610_CR12","doi-asserted-by":"crossref","unstructured":"Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: CCS, pp. 627\u2013638 (2011)","DOI":"10.1145\/2046707.2046779"},{"key":"610_CR13","unstructured":"Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: USENIX WebApps, pp. 7\u20137 (2011)"},{"key":"610_CR14","unstructured":"Chrome app and extension permissions. https:\/\/support.google.com\/chrome\/a\/answer\/7515036?hl=en"},{"key":"610_CR15","unstructured":"chrome.tabs. https:\/\/developer.chrome.com\/extensions\/tabs"},{"key":"610_CR16","unstructured":"Declare permissions. https:\/\/developer.chrome.com\/extensions\/declare_permissions"},{"key":"610_CR17","unstructured":"Declare permissions. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/declarativeNetRequest\/"},{"key":"610_CR18","unstructured":"Declare permissions and warn users. https:\/\/developer.chrome.com\/apps\/permission_warnings"},{"key":"610_CR19","unstructured":"Extensions and apps in the chrome web store. https:\/\/developer.chrome.com\/webstore\/apps_vs_extensions"},{"key":"610_CR20","unstructured":"Hosted apps. https:\/\/developer.chrome.com\/webstore\/hosted_apps"},{"key":"610_CR21","unstructured":"Guarnieri, S., Livshits, B.: GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code. In: USENIX, pp. 151\u2013168 (2009)"},{"key":"610_CR22","doi-asserted-by":"crossref","unstructured":"Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: S &P, pp. 115\u2013130 (2011)","DOI":"10.1109\/SP.2011.36"},{"key":"610_CR23","unstructured":"Israel, G.D.: Determining sample size (1992)"},{"key":"610_CR24","unstructured":"Jagpal, N., Dingle, E., Gravel, J.P., Mavrommatis, P., Provos, N., Rajab, M.A., Thomas, K.: Trends and lessons from three years fighting malicious extensions. In: USENIX, pp. 579\u2013593 (2015)"},{"key":"610_CR25","unstructured":"Javascript closures. https:\/\/www.w3schools.com\/js\/js_function_closures.asp"},{"key":"610_CR26","unstructured":"Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX, pp. 641\u2013654 (2014)"},{"key":"610_CR27","unstructured":"Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: USENIX, pp. 637\u2013652 (2013)"},{"key":"610_CR28","unstructured":"Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: NDSS (2012)"},{"key":"610_CR29","unstructured":"Manifest file format. https:\/\/developer.chrome.com\/docs\/extensions\/mv2\/manifest\/"},{"issue":"4","key":"610_CR30","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1109\/MSP.2018.3111249","volume":"16","author":"R Perrotta","year":"2018","unstructured":"Perrotta, R., Hao, F.: Botnet in the browser: understanding threats caused by malicious browser extensions. IEEE Secur. Privacy 16(4), 66\u201381 (2018)","journal-title":"IEEE Secur. Privacy"},{"key":"610_CR31","doi-asserted-by":"crossref","unstructured":"Picazo-Sanchez, P., Algehed, M., Sabelfeld, A.: Dedup.js: discovering malicious and vulnerable extensions by detecting duplication. In: ICISSP, pp. 528\u2013535 (2022)","DOI":"10.5220\/0010900600003120"},{"issue":"5","key":"610_CR32","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1109\/MSECP.2003.1236236","volume":"1","author":"FB Schneider","year":"2003","unstructured":"Schneider, F.B.: Least privilege and more [computer security]. IEEE Secur. Privacy 1(5), 55\u201359 (2003)","journal-title":"IEEE Secur. Privacy"},{"key":"610_CR33","doi-asserted-by":"crossref","unstructured":"Siegmund, J., Siegmund, N., Apel, S.: Views on internal and external validity in empirical software engineering. In: ICSE, pp. 9\u201319 (2015)","DOI":"10.1109\/ICSE.2015.24"},{"key":"610_CR34","doi-asserted-by":"crossref","unstructured":"Som\u00e9, D.F.: Empoweb: Empowering web applications with browser extensions. In: S &P, pp. 227\u2013245 (2019)","DOI":"10.1109\/SP.2019.00058"},{"key":"610_CR35","doi-asserted-by":"crossref","unstructured":"Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW, pp. 3244\u20133250 (2019)","DOI":"10.1145\/3308558.3313458"},{"key":"610_CR36","doi-asserted-by":"crossref","unstructured":"Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: WWW, pp. 1481\u20131490 (2017)","DOI":"10.1145\/3038912.3052596"},{"key":"610_CR37","doi-asserted-by":"crossref","unstructured":"Starov, O., Nikiforakis, N.: Xhound: Quantifying the fingerprintability of browser extensions. In: S &P, pp. 941\u2013956 (2017)","DOI":"10.1109\/SP.2017.18"},{"key":"610_CR38","doi-asserted-by":"crossref","unstructured":"Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., Mccoy, D., Nappa, A., Paxson, V., Pearce, P., Provos, N., Rajab, M.A.: Ad injection at scale: assessing deceptive advertisement modifications. In: S &P, pp. 151\u2013167 (2015)","DOI":"10.1109\/SP.2015.17"},{"key":"610_CR39","unstructured":"Trickel, E., Starov, O., Kapravelos, A., Nikiforakis, N., Doup\u00e9, A.: Everyone is different: client-side diversification for defending against extension fingerprinting. In: USENIX, pp. 1679\u20131696 (2019)"},{"key":"610_CR40","doi-asserted-by":"crossref","unstructured":"Wang, H., Liu, Z., Liang, J., Vallina-Rodriguez, N., Guo, Y., Li, L., Tapiador, J., Cao, J., Xu, G.: Beyond google play: a large-scale comparative study of chinese android app markets. In: IMC, pp. 293\u2013307 (2018)","DOI":"10.1145\/3278532.3278558"},{"key":"610_CR41","doi-asserted-by":"crossref","unstructured":"Xia, W., Jiang, H., Feng, D., Douglis, F., Shilane, P., Hua, Y., Fu, M., Zhang, Y., Zhou, Y.: A comprehensive study of the past, present, and future of data deduplication. Proc. IEEE 104(9), 1681\u20131710 (2016)","DOI":"10.1109\/JPROC.2016.2571298"},{"key":"610_CR42","doi-asserted-by":"crossref","unstructured":"Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., Lee, W.: Understanding malvertising through ad-injecting browser extensions. In: WWW, pp. 1286\u20131295 (2015)","DOI":"10.1145\/2736277.2741630"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-022-00610-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-022-00610-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-022-00610-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,10,13]],"date-time":"2022-10-13T15:17:59Z","timestamp":1665674279000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-022-00610-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9,4]]},"references-count":42,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["610"],"URL":"https:\/\/doi.org\/10.1007\/s10207-022-00610-w","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2022,9,4]]},"assertion":[{"value":"4 September 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}