Browser extensions play a vital role in the Web ecosystem: they enable users to customize their experience while browsing. However, the higher privileges of extensions compared to the Web applications require in-depth security considerations to not threaten the security and privacy (S&P) of their users; the security and privacy mindset of developers has not been studied yet, though. In this paper, we close this research gap. To that end, we conducted a qualitative study with extension developers from diverse backgrounds and experience levels (N=21) to identify the root causes for vulnerable extensions existing in the ecosystem. Our findings suggest that developers often implicitly acknowledge the S&P risks associated with their extensions, but they frequently lack the necessary knowledge and resources to implement effective security and privacy-protecting mechanisms. Additionally, socio-technical barriers, such as insufficient incentives and external pressures, including platform-imposed restrictions, further hinder secure development practices. Based on our findings, we offer empirically grounded takeaways for the browser extension ecosystem to help strengthen security practices and ultimately provide better protection for users.
Usenix Security Symposium (USENIX-Security)
2025-08-14
2025-07-17