{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:32:42Z","timestamp":1766442762058,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T00:00:00Z","timestamp":1763769600000},"content-version":"vor","delay-in-days":3,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2226404, CNS-1816929"],"award-info":[{"award-number":["CNS-2226404, CNS-1816929"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765195","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:42:02Z","timestamp":1763854922000},"page":"1859-1873","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-9503-558X","authenticated-orcid":false,"given":"Anuj","family":"Gautam","sequence":"first","affiliation":[{"name":"University of Tennessee, Knoxville, TN, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7592-4537","authenticated-orcid":false,"given":"Tarun","family":"Yadav","sequence":"additional","affiliation":[{"name":"Brigham Young University, Provo, UT, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4796-9735","authenticated-orcid":false,"given":"Garrett","family":"Smith","sequence":"additional","affiliation":[{"name":"Brigham Young University, Provo, UT, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1482-492X","authenticated-orcid":false,"given":"Kent","family":"Seamons","sequence":"additional","affiliation":[{"name":"Brigham Young University, Provo, UT, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6917-4186","authenticated-orcid":false,"given":"Scott","family":"Ruoti","sequence":"additional","affiliation":[{"name":"University of Tennessee, Knoxville, TN, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Shiller","author":"Akerlof George A.","year":"2015","unstructured":"George A. Akerlof and Robert J. Shiller. 2015. Phishing for phools. In Phishing for Phools. Princeton University Press."},{"key":"e_1_3_2_1_2_1","unstructured":"Awake Security. 2022. Discovery of a Massive Criminal Surveillance Campaign. https:\/\/awakesecurity.com\/blog\/the-internets-new-arms-dealers-malicious-domain-registrars\/."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382237"},{"key":"e_1_3_2_1_5_1","unstructured":"Cato Networks. 2022. Threat Intelligence Feeds and Endpoint Protection Systems Fail to Detect 24 Malicious Chrome Extensions. https:\/\/www.catonetworks.com\/blog\/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions\/."},{"key":"e_1_3_2_1_6_1","unstructured":"Google Chrome. [n.d.]. Chrome.webRequest. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/webRequest\/#event-onBeforeRequest"},{"key":"e_1_3_2_1_7_1","unstructured":"Chromium. 2011. 91191 - chromium - WebRequest: Access to POST data in onBeforeRequest. https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=91191 Accessed: 2023-05-03."},{"key":"e_1_3_2_1_8_1","unstructured":"Chromium. 2023a. The activeTab permission. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/manifest\/activeTab\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_9_1","unstructured":"Chromium. 2023b. chrome.declarativeNetRequest. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/declarativeNetRequest\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_10_1","unstructured":"Chromium. 2023c. chrome.scripting. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/scripting\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_11_1","unstructured":"Chromium. 2023d. chrome.webRequest. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/webRequest\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_12_1","unstructured":"Chromium. 2023 e. Content scripts. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/content_scripts\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_13_1","unstructured":"Chromium. 2023 f. Manifest file format. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/manifest\/ Accessed: 2023-05-03."},{"volume-title":"CVES, XSS, Cross Site Scripting published in January","year":"2024","key":"e_1_3_2_1_14_1","unstructured":"CVEdetails. 2024. Security vulnerabilities, CVES, XSS, Cross Site Scripting published in January 2024."},{"key":"e_1_3_2_1_15_1","first-page":"2189","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Dambra Savino","year":"2022","unstructured":"Savino Dambra, Iskander Sanchez-Rola, Leyla Bilge, and Davide Balzarotti. 2022. When Sally Met Trackers: Web Tracking from the Users' Perspective. In 31st USENIX Security Symposium (USENIX Security 22). 2189-2206."},{"key":"e_1_3_2_1_16_1","volume-title":"Proceedings of the 54th Hawaii International Conference on System Sciences.","author":"Das Sanchari","year":"2020","unstructured":"Sanchari Das, Andrew Kim, Ben Jelen, Lesa Huber, and L Jean Camp. 2020. Non-inclusive online security: older adults' experience with two-factor authentication. In Proceedings of the 54th Hawaii International Conference on System Sciences."},{"volume-title":"Proceedings of the 2005 symposium on Usable privacy and security. 77-88","author":"Dhamija Rachna","key":"e_1_3_2_1_17_1","unstructured":"Rachna Dhamija and J. Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. 77-88."},{"key":"e_1_3_2_1_18_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2020","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2020. Towards measuring supply chain attacks on package managers for interpreted languages. (2020). arXiv:2002.01139 [cs.CR]"},{"key":"e_1_3_2_1_19_1","first-page":"3","volume-title":"Copenhagen","author":"Guan Jingjing","year":"2022","unstructured":"Jingjing Guan, Hui Li, Haisong Ye, and Ziming Zhao. 2022. A Formal Analysis of the FIDO2 Protocols. In Computer Security-ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26-30, 2022, Proceedings, Part III. Springer, 3-21."},{"volume-title":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. 697-711","author":"Hao Feng","key":"e_1_3_2_1_20_1","unstructured":"Feng Hao and Paul C. van Oorschot. 2022. SoK: Password-Authenticated Key Exchange-Theory, Practice, Standardization and Real-World Lessons. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. 697-711."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1719030.1719050"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/CC.2016.7897543"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/sp40001.2021.00094"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-78372-7_15"},{"key":"e_1_3_2_1_25_1","first-page":"641","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Kapravelos Alexandros","year":"2014","unstructured":"Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting malicious behavior in browser extensions. In 23rd USENIX Security Symposium (USENIX Security 14). 641-654."},{"key":"e_1_3_2_1_26_1","volume-title":"Wagner","author":"Karlof Chris","year":"2009","unstructured":"Chris Karlof, J. Doug Tygar, and David A. Wagner. 2009. Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication.. In NDSS."},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of the 18th Symposium on Usable Privacy and Security. USENIX","author":"Korir Maina","year":"2022","unstructured":"Maina Korir, Simon Parkin, and Paul Dunphy. 2022. An empirical study of a decentralized identity wallet: Usability, security, and perspectives on user control. In Proceedings of the 18th Symposium on Usable Privacy and Security. USENIX, Boston, MA. https:\/\/www.usenix.org\/conference\/soups2022\/presentation\/mayer"},{"key":"e_1_3_2_1_28_1","unstructured":"Robert Lemos. 2021. Dependency problems increase for open source components. https:\/\/www.darkreading.com\/application-security\/dependency-problems-increase-for-open-source-components\/d\/d-id\/1340665"},{"key":"e_1_3_2_1_29_1","volume-title":"Horcrux: A password manager for paranoids.","author":"Li Hannah","year":"2017","unstructured":"Hannah Li and David Evans. 2017. Horcrux: A password manager for paranoids. (2017). arXiv:1706.05085 [cs.CR]"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.21236\/ADA614474"},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of the 28th USENIX Security Symposium. USENIX.","author":"Lyastani Sanam Ghorbani","year":"2018","unstructured":"Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, and Sven Bugiel. 2018. Better managed than memorized? Studying the impact of managers on password strength and reuse. In Proceedings of the 28th USENIX Security Symposium. USENIX."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690286"},{"key":"e_1_3_2_1_33_1","unstructured":"Mozilla. 2017. 1376155 - webrequest: Support modifying request bodies (e.g. via requestbody blockingresponse). https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1376155 Accessed: 2023-05-03."},{"key":"e_1_3_2_1_34_1","unstructured":"Mark Munder. 2017. PSA: 4.8 Million Affected by Chrome Extension Attacks Targeting Site Owners. https:\/\/www.wordfence.com\/blog\/2017\/08\/chrome-browser-extension-attacks\/"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485884"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the 30th USENIX Security Symposium. USENIX.","author":"Oesch Sean","year":"2020","unstructured":"Sean Oesch and Scott Ruoti. 2020. That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In Proceedings of the 30th USENIX Security Symposium. USENIX."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3517534"},{"key":"e_1_3_2_1_38_1","first-page":"23","volume-title":"DIMVA 2020, Lisbon, Portugal, June 24-26, 2020, Proceedings 17","author":"Ohm Marc","year":"2020","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24-26, 2020, Proceedings 17. Springer, 23-43."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987488"},{"key":"e_1_3_2_1_40_1","unstructured":"OSITCOM. 2021. Google Removes 500 plus Malicious Chrome Extensions. https:\/\/www.ositcom.com\/61."},{"key":"e_1_3_2_1_41_1","unstructured":"OWASP. 2022. Cross site scripting (XSS). https:\/\/owasp.org\/www-community\/attacks\/xss\/ Accessed: 2023-05-03."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423343"},{"key":"e_1_3_2_1_43_1","unstructured":"Scott Ruoti Jeff Andersen Tyler Monson Daniel Zappala and Kent Seamons. 2016. MessageGuard: A Browser-based Platform for Usable Content-Based Encryption Research. arXiv:1510.08943 [cs.CR]"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3171533.3171542"},{"key":"e_1_3_2_1_45_1","volume-title":"Why XSS is still an XXL issue","author":"Security Help Net","year":"2021","unstructured":"Help Net Security. 2021. Why XSS is still an XXL issue in 2021. https:\/\/www.helpnetsecurity.com\/2021\/06\/15\/xss-attacks\/"},{"key":"e_1_3_2_1_46_1","volume-title":"Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. In 31st USENIX Security Symposium (USENIX Security 22)","author":"Senol Asuman","year":"2022","unstructured":"Asuman Senol, Gunes Acar, Mathias Humbert, and Frederik Zuiderveen Borgesius. 2022. Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. In 31st USENIX Security Symposium (USENIX Security 22). 1813-1830."},{"key":"e_1_3_2_1_47_1","volume-title":"USENIX Security Symposium. 449-464","author":"Silver David","year":"2014","unstructured":"David Silver, Suman Jana, Dan Boneh, Eric Yawei Chen, and Collin Jackson. 2014. Password Managers: Attacks and Defenses.. In USENIX Security Symposium. 449-464."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485889"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590336"},{"key":"e_1_3_2_1_50_1","unstructured":"Sansec Forensics Team. 2024. Polyfill supply chain attack hits 100K sites. https:\/\/sansec.io\/research\/polyfill-supply-chain-attack"},{"key":"e_1_3_2_1_51_1","unstructured":"Alanna Titterington. 2023. Dangerous Browser Extensions. https:\/\/usa.kaspersky.com\/blog\/dangerous-browser-extensions-2023\/29546\/"},{"key":"e_1_3_2_1_52_1","unstructured":"W3. 2023. HTML - Construct Entry List. https:\/\/html.spec.whatwg.org\/multipage\/form-control-infrastructure.html#constructing-the-form-data-set"},{"key":"e_1_3_2_1_53_1","unstructured":"WHATWG. 2023. HTML standard - WHATWG. https:\/\/html.spec.whatwg.org\/multipage\/form-control-infrastructure.html#form-submission-algorithm Accessed: 2023-05-03."},{"key":"e_1_3_2_1_54_1","unstructured":"WhiteSource. 2022. Remediating vulnerabilities in NPM Packages - WhiteSource. https:\/\/www.mend.io\/resources\/research-reports\/mend-research-report-remediating-vulnerabilities-in-npm-packages\/"},{"key":"e_1_3_2_1_55_1","first-page":"97","article-title":"The Secure Remote Password Protocol. In NDSS, Vol. 98","author":"Wu Thomas D.","year":"1998","unstructured":"Thomas D. Wu et al., 1998. The Secure Remote Password Protocol. In NDSS, Vol. 98. Citeseer, 97-111.","journal-title":"Citeseer"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24327"},{"key":"e_1_3_2_1_57_1","unstructured":"Yubico. [n.d.]. Java WebAuthn Server. https:\/\/github.com\/Yubico\/java-webauthn-server"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765195","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765195","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:31:27Z","timestamp":1766442687000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765195"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":57,"alternative-id":["10.1145\/3719027.3765195","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765195","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}