{"id":"https://openalex.org/W3187895569","doi":"https://doi.org/10.1145/3460120.3484745","title":"DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale","display_name":"DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale","publication_year":2021,"publication_date":"2021-11-12","ids":{"openalex":"https://openalex.org/W3187895569","doi":"https://doi.org/10.1145/3460120.3484745","mag":"3187895569"},"language":"en","primary_location":{"id":"doi:10.1145/3460120.3484745","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484745","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/DoubleX_Statically_Detecting_Vulnerable_Data_Flows_in_Browser_Extensions_at_Scale/24613722","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5037725779","display_name":"Aurore Fass","orcid":"https://orcid.org/0000-0001-6611-4447"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Aurore Fass","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5015854505","display_name":"Doli\u00e8re Francis Som\u00e9","orcid":"https://orcid.org/0009-0005-3757-2779"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Doli\u00e8re Francis Som\u00e9","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102730269","display_name":"Michael Backes","orcid":"https://orcid.org/0000-0002-7130-9211"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Michael Backes","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087823285","display_name":"Ben Stock","orcid":"https://orcid.org/0000-0001-9659-0700"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Ben Stock","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5037725779"],"corresponding_institution_ids":["https://openalex.org/I4210128801"],"apc_list":null,"apc_paid":null,"fwci":7.4039,"has_fulltext":false,"cited_by_count":35,"citation_normalized_percentile":{"value":0.97169238,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1789","last_page":"1804"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.996399998664856,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8864048719406128},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.6654492020606995},{"id":"https://openalex.org/keywords/pointer","display_name":"Pointer (user interface)","score":0.6253985166549683},{"id":"https://openalex.org/keywords/extension","display_name":"Extension (predicate logic)","score":0.6098813414573669},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.6038563251495361},{"id":"https://openalex.org/keywords/control-flow","display_name":"Control flow","score":0.49991846084594727},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.48597750067710876},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.4514639675617218},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4432605504989624},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.4352077543735504},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3577636480331421},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.31391870975494385},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.26599347591400146},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.0975433886051178}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8864048719406128},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.6654492020606995},{"id":"https://openalex.org/C150202949","wikidata":"https://www.wikidata.org/wiki/Q107602","display_name":"Pointer (user interface)","level":2,"score":0.6253985166549683},{"id":"https://openalex.org/C2778029271","wikidata":"https://www.wikidata.org/wiki/Q5421931","display_name":"Extension (predicate logic)","level":2,"score":0.6098813414573669},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.6038563251495361},{"id":"https://openalex.org/C160191386","wikidata":"https://www.wikidata.org/wiki/Q868299","display_name":"Control flow","level":2,"score":0.49991846084594727},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.48597750067710876},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.4514639675617218},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4432605504989624},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.4352077543735504},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3577636480331421},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.31391870975494385},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.26599347591400146},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.0975433886051178},{"id":"https://openalex.org/C31972630","wikidata":"https://www.wikidata.org/wiki/Q844240","display_name":"Computer vision","level":1,"score":0.0},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3460120.3484745","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484745","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24613722","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/DoubleX_Statically_Detecting_Vulnerable_Data_Flows_in_Browser_Extensions_at_Scale/24613722","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24613722.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24613722.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24613722","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/DoubleX_Statically_Detecting_Vulnerable_Data_Flows_in_Browser_Extensions_at_Scale/24613722","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":40,"referenced_works":["https://openalex.org/W21397350","https://openalex.org/W74184291","https://openalex.org/W202191487","https://openalex.org/W1688725932","https://openalex.org/W1887482550","https://openalex.org/W1992114977","https://openalex.org/W2023219316","https://openalex.org/W2055931054","https://openalex.org/W2060218972","https://openalex.org/W2085925880","https://openalex.org/W2091747079","https://openalex.org/W2142194171","https://openalex.org/W2143681128","https://openalex.org/W2144344516","https://openalex.org/W2189652372","https://openalex.org/W2294912735","https://openalex.org/W2536013516","https://openalex.org/W2578355414","https://openalex.org/W2591793539","https://openalex.org/W2602351626","https://openalex.org/W2604188240","https://openalex.org/W2723746209","https://openalex.org/W2732351623","https://openalex.org/W2750799145","https://openalex.org/W2753884237","https://openalex.org/W2771281827","https://openalex.org/W2891060526","https://openalex.org/W2911728339","https://openalex.org/W2947109320","https://openalex.org/W2963070438","https://openalex.org/W2964194794","https://openalex.org/W2965861627","https://openalex.org/W2970044827","https://openalex.org/W2970323597","https://openalex.org/W3000350072","https://openalex.org/W3008279942","https://openalex.org/W3110204761","https://openalex.org/W3147673361","https://openalex.org/W3161620163","https://openalex.org/W4299301436"],"related_works":["https://openalex.org/W1184927937","https://openalex.org/W1733359664","https://openalex.org/W3092270246","https://openalex.org/W2379130201","https://openalex.org/W2601005115","https://openalex.org/W1503745153","https://openalex.org/W4237689378","https://openalex.org/W3155376567","https://openalex.org/W804592935","https://openalex.org/W2986037118"],"abstract_inverted_index":{"Browser":[0],"extensions":[1,33,174],"are":[2,34,64],"popular":[3],"to":[4,14,19,71,75,147],"enhance":[5],"users'":[6],"browsing":[7],"experience.":[8],"By":[9],"design,":[10],"they":[11,36],"have":[12],"access":[13],"security-":[15],"and":[16,32,99,124,129,135,149,157],"privacy-critical":[17],"APIs":[18,159],"perform":[20],"tasks":[21],"that":[22,185],"web":[23,30,52],"applications":[24],"cannot":[25],"traditionally":[26],"do.":[27],"Even":[28],"though":[29],"pages":[31],"isolated,":[35],"can":[37,45,82,143,190],"communicate":[38],"through":[39],"messages.":[40],"Specifically,":[41],"a":[42,65,68,177,216],"vulnerable":[43,218],"extension":[44,50,120,219],"receive":[46],"messages":[47],"from":[48],"another":[49],"or":[51,89],"page,":[53],"under":[54],"the":[55,76,131],"control":[56,123],"of":[57,78,137,187,227],"an":[58,79,113,138,197],"attacker.":[59],"Thus,":[60],"these":[61,188],"communication":[62],"channels":[63],"way":[66],"for":[67,208],"malicious":[69],"actor":[70],"elevate":[72],"their":[73],"privileges":[74],"capabilities":[77],"extension,":[80],"which":[81,118],"lead":[83],"to,":[84],"e.g.,":[85],"universal":[86],"cross-site":[87],"scripting":[88],"sensitive":[90,158],"user":[91],"data":[92,125,152,179],"exfiltration.":[93],"To":[94],"automatically":[95],"detect":[96,150],"such":[97],"security":[98],"privacy":[100],"threats":[101],"in":[102,160],"benign-but-buggy":[103],"extensions,":[104,169],"we":[105,142,182,204,212],"propose":[106],"our":[107,201],"static":[108],"analyzer":[109],"DoubleX.":[110],"DoubleX":[111,165,214],"defines":[112],"Extension":[114],"Dependence":[115],"Graph":[116],"(EDG),":[117],"abstracts":[119],"code":[121],"with":[122],"flows,":[126],"pointer":[127],"analysis,":[128],"models":[130],"message":[132],"interactions":[133],"within":[134],"outside":[136],"extension.":[139],"This":[140],"way,":[141],"leverage":[144],"this":[145],"graph":[146],"track":[148],"suspicious":[151,178],"flows":[153,189],"between":[154],"external":[155,194],"actors":[156,195],"browser":[161],"extensions.":[162,210],"We":[163],"evaluated":[164,213],"on":[166,200,215],"154,484":[167],"Chrome":[168],"where":[170,221],"it":[171,222],"flags":[172],"278":[173],"as":[175],"having":[176],"flow.":[180],"Overall,":[181],"could":[183],"verify":[184],"89%":[186],"be":[191],"influenced":[192],"by":[193],"(i.e.,":[196],"attacker).":[198],"Based":[199],"threat":[202],"model,":[203],"subsequently":[205],"demonstrate":[206],"exploitability":[207],"184":[209],"Finally,":[211],"labeled":[217],"set,":[220],"accurately":[223],"detects":[224],"almost":[225],"93%":[226],"known":[228],"flaws.":[229]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":8},{"year":2024,"cited_by_count":10},{"year":2023,"cited_by_count":11},{"year":2022,"cited_by_count":5}],"updated_date":"2026-04-28T14:05:53.105641","created_date":"2025-10-10T00:00:00"}