Thousands of Chrome Extensions Are Tampering With Security Headers

An anonymous reader quotes a report from The Record: Thousands of Google Chrome extensions available on the official Chrome Web Store are tampering with security headers on popular websites, putting users at risk of a wide range of web-based attacks. While they are a little-known technical detail, security headers are an important part of the current internet landscape. At a technical level, a security header is an HTTP response sent by the server to a client app, such as a browser. In a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security said they tried to assess the number of Chrome extensions tampering with security headers for the very first time. Using a custom framework they built specifically for their study, the research team said they analyzed 186,434 Chrome extensions that were available on the official Chrome Web Store last year. Their work found that 2,485 extensions were intercepting and modifying at least one security header used by today's Top 100 most popular websites (as available in the Tranco list).

The study didn't focus on all security headers, but only on the four most common ones, such as: Content-Security Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. While 2,485 extensions disabled at least one, researchers said they found 553 disabling all the four security headers they analyzed in their research. The most commonly disabled security header was CSP, a security header that was developed to allow site owners to control what web resources a page is allowed to load inside a browser and a typical defense that can protect websites and browsers against XSS and data injection attacks. According to the research team, in most of the cases they analyzed, the Chrome extensions disabled CSP and other security headers 'to introduce additional seemingly benign functionalities on the visited webpage,' and didn't look to be malicious in nature. However, even if the extensions wanted to enrich a user's experience online, the German academics argued that by tampering with security headers, all the extensions did was to expose users to attacks from other scripts and sites running inside the browser and on the web.

Read more of this story at Slashdot.