Speaker: Aurore Fass (Inria Centre at Université Côte d'Azur, France) Title: On the Security and Privacy Risks of Browser Extensions Abstract: Browser extensions are popular to enhance user browsing experience: they offer **additional functionality** to Web users, such as ad blocking, grammar checks, or password management. To operate, browser extensions need **elevated privileges** compared to Web pages, making them an attractive target for attackers and a **significant threat to Web users' security and privacy**. However, many aspects of browser extensions have not been investigated yet. For instance: how can extensions put the security and privacy of Web users at risk? How many dangerous extensions have been in the Chrome Web Store? How can we detect dangerous extensions? In this presentation, I will address these questions by first defining several classes of "dangerous extensions" and the ways they can harm users. In particular, I will focus on detecting _vulnerable_ extensions, i.e., those that may unintentionally expose sensitive user data. Then, I will consider _malicious_ extensions, i.e., those which deliberately engage in malicious activities like malware distribution, and discuss the underlying challenges of machine learning-based detection systems. Finally, I will show how browser extensions can be _fingerprinted_: simply using an extension can introduce observable side effects, which can be abused to track users on the Web. Overall, this talk aims to raise awareness about the security and privacy risks posed by browser extensions and to discuss strategies for mitigating these threats. Short bio: Dr.-Ing. Aurore Fass is a Tenured Researcher at the Inria Centre at University Côte d'Azur (France). She got her Ph.D. from CISPA Helmholtz Center for Information Security & Saarland University (Germany) in 2021. From 2021--2023, she was a Visiting Assistant Professor of Computer Science at Stanford University (U.S.); from 2023--2025, she was a Tenure-Track Faculty at CISPA. Aurore's research broadly focuses on Web Security & Privacy and Web Measurements. Specifically, she designs practical approaches to protect the security and privacy of Web users. She builds systems to proactively detect malicious JavaScript code and suspicious browser extensions. More information are available on her website: https://aurore54f.github.io.