In the News
News on Detecting Malicious Browser Extension
"UW-Madison research proves your browser extension could grab your password and sensitive info"
Channel 3000, October 31, 2023. [Read More]
"From ********* to EZacces$! Your browser extension could grab your password and sensitive info"
UW News, October 27, 2023. [Read More]
"Password-stealing Chrome extension smuggled on to Web Store"
Malwarebytes, September 5, 2023. [Read More]
"This Chrome extension can steal your passwords - and Google has no problem with it"
techradar, September 4, 2023. [Read More]
"Apple Says No"
GRC Security Now, September 5, 2023. [Read More]
"WATCH OUT Billions of Google users urged over simple mistake that lets crooks silently steal your passwords"
The SUN, September 6, 2023. [Read More]
"Chrome extensions can steal plaintext passwords from websites"
The Bleeping Computer, September 2, 2023. [Read More]
"Google Chrome users urged to check now for these password-stealing add-ons"
The Mirror, September 4, 2023. [Read More]
"Chrome Extensions Can Easily Steal User Passwords, Researchers Demonstrate"
IndiaTimes, September 5, 2023. [Read More]
News on Automated Enforcement of Cookies
"AI-powered browser extension to automatically click away cookie pop-ups now promised"
The Register, April 12, 2022. [Read More]
"A clever new browser extension eliminates one of the worst problems with the web"
techradar, April 13, 2022. [Read More]
Selected Publications
For the full list of publications, see Publications, or visit my Google Scholar profile.
Asmit Nayak
,
Shirley Zhang
Equal Contribution
,
Yash Wani
Equal Contribution
,
Rishabh Khandelwal
,
Kassem Fawaz
(2024)
Automatically Detecting Online Deceptive Patterns in Real-time
In ArXiv Pre-Print
Rishabh Khandelwal
Equal Contribution
,
Asmit Nayak
Equal Contribution
,
Paul Chung
,
Kassem Fawaz
(2024)
Unpacking Privacy Labels: A Measurement and Developer Perspective on Google's Data Safety Section
In USENIX Security 2024
Asmit Nayak
Equal Contribution
,
Rishabh Khandelwal
Equal Contribution
,
Earlence Fernandes
,
Kassem Fawaz
(2024)
Experimental Security Analysis of Sensitive Data Access by Browser Extensions
In The Web Conference 2024
Experience
Research Assistant
Wisconsin Privacy and Security Group
Jun 2022 - Present Madison, WI
Responsibilities include:
- Did cool research on privacy.
- Published groundbreaking papers.
Graduate Teaching Assistant
University of Wisconsin-Madison
Aug 2021 - Dec 2022 Madison, WI
Responsibilities include:
- Delivered guest lectures on Reinforcement Learning during the Summer 2022 term.
Research Intern
Wisconsin Privacy and Security Group
May 2021 – Aug 2021 Madison, WI
Responsibilities include:
- Created the CookieEnforcer web-extension in JS to automatically disable unnecessary cookies.
- Created a server in Django to conduct User Studies and collect user data to conduct statistical analysis on it.
- Created the backend server to interact with the CookieEnforcer web-extension.
- Worked towards building the base model to support a web extension to automatically set and dismiss cookie notices
Undergraduate Research Assistant
Wisconsin Privacy and Security Group
Jun 2020 – May 2021 Madison, WI
Responsibilities include:
- Worked on using NLP techniques and group them based on similarity using unsupervised learning.
- Created a text-extraction program to extract immediate texts from the raw HTML code, based on their relative position to the main element.
Projects

Automated Detection of Deceptive Patterns on Web
2024-05 – Present
To combat deceptive web design, I created a multi-modal framework for performing Deceptive Pattern classification from website screenshots. My contributions included developing a pipeline to generate synthetic websites with automatic element localization, which I used to fine-tune YOLOv10 models for visual analysis. Additionally, I developed an LLM-assisted annotation process to build a unique DP dataset, which I then used to distill efficient T5 and small LLM models for deceptive pattern detection.

2023-05 – 2024-05
My work focused on examining the effectiveness and consistency of Google's Data Safety Section (DSS). I designed and implemented a mixed-methods approach to analyze DSS practices, which revealed significant reporting inconsistencies and trends. To understand the developer perspective, I conducted a user study highlighting their struggles and strategies when submitting DSS information, pointing to a need for better guidelines. Furthermore, I developed a system to automatically identify cross-listed apps on the Play Store and App Store and scrape their respective privacy labels. Analyzing these labels allowed me to identify and characterize inconsistencies in privacy disclosures across platforms.

2022-10 – 2023-05
I conducted an extensive study into browser extension security risks. I demonstrated vulnerabilities in Chrome's review process by developing a proof-of-concept extension that bypassed Web Store checks. Through my analysis of 10K+ domains and 160K+ Chrome extensions, I identified critical security loopholes related to password protection and permissions. Additionally, I created an LLM-powered framework to automate the advanced analysis of extension code for detecting sensitive data access and malicious behavior.

2021-05 – 2022-09
An automated system using machine learning to analyze website cookie notices and enforce the most privacy-preserving options for users.