Large-scale Detection of Privacy Leaks for BAT Browsers Extensions in China

Although browser extensions bring users a better experience, it creates a hidden danger of privacy leakage. A common privacy leakage detection method is realized through detecting private data transmission. However, only the unintended transmission is considered to be a privacy leak. Therefore, the real challenge is to determine whether or not the transmission is user intended. In order to address this problem, we check the rationality of private data transmission by establishing a privacy model based on classification for extensions to confirm the scope of private data that can be uploaded and domains that can be sent to. Furthermore, we present BEDS (Browser Extension Detection System), a Chromium based extension dynamic detection system. BEDS first builds a privacy model for each extension and then records the extension's network logs and browser API logs when accessing specified pages. Finally, BEDS determines whether there exists a privacy leak according to the strict privacy leakage judgment rules. We test our implementation in large scale on extensions in browsers developed by China's three major Internet companies and complete 15 months of continuous tracking. After examining a total of 14,487 extensions, 1,897 privacy leaks are identified, all results have been inspected by manual and the accuracy of BEDS is over 97%. A number of domains that illegally collect private user data are discovered and tracked. Our results show that about 47,000 Chinese IPs upload private information to suspicious servers every day.