{"guid":"9e712464-901b-4fcc-87cd-f80e84e4d6f4","title":"\"I have no idea how to make it safer\": Security and Privacy Mindsets of Browser Extension Developers","subtitle":null,"slug":"god2025-56488-i-have-no-idea-how-to-make","link":"https://c3voc.de","description":"Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support.\nIn this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them.\nThe audience will take away the following items from the presentation/discussion:\n \nCommon insecure practices in extension development.\nWhy security ≠ privacy ≠ store compliance, as often perceived by extension developers!\nHidden design gaps and loopholes in extension architecture that developers can't spot or comprehend.\nAnecdotes on the course of extension development in the era of LLMs.\nDevelopers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions.\nAnd, most importantly, why you should NOT give up on them just yet! :)\n\n\nReferences:\n \n[1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025.\n[2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024.\n[3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Shubham Agrawal"],"tags":["56488","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":151,"promoted":false,"date":"2025-11-26T14:55:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-31T21:30:08.335+02:00","length":1482,"duration":1482,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56488-i-have-no-idea-how-to-make","url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[],"recordings":[{"size":13,"length":1482,"mime_type":"audio/opus","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-11-26T16:22:12.004+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/opus/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_opus.opus","url":"https://api.media.ccc.de/public/recordings/93598","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":42,"length":1482,"mime_type":"video/webm","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-11-26T16:32:31.648+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/webm-sd/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/93605","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":116,"length":1482,"mime_type":"video/webm","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-11-26T16:28:53.962+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/webm-hd/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/93604","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":42,"length":1482,"mime_type":"video/mp4","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-11-26T16:27:54.762+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_sd.mp4","url":"https://api.media.ccc.de/public/recordings/93601","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":22,"length":1482,"mime_type":"audio/mpeg","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-11-26T16:22:15.765+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/mp3/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/93599","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":105,"length":1482,"mime_type":"video/mp4","language":"eng","filename":"god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-11-26T16:02:15.489+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/h264-hd/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_hd.mp4","url":"https://api.media.ccc.de/public/recordings/93587","event_url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_url":"https://api.media.ccc.de/public/conferences/god2025"}]}