Lots of extensions for Google Chrome interfere with security headers
Security researchers have found that thousands of extensions for Google Chrome from the official Chrome Web Store change security headers on popular sites, thereby putting users at risk.
The experts explain that security headers are an important part of the internet today. Technically, they are HTTP responses sent by the server to a client application, such as a browser.
Security headers are a type of HTTP response that allows site administrators to enable and configure security features in a user’s browser and in other client applications.
“Some of the most common headers are commonly used by site operators to ensure that the resource is running over HTTPS, users are protected from XSS attacks, and the code inside the iframe cannot steal data”, — experts explain.
In a paper presented as part of the MADWeb workshop at the NDSS 2021 security conference, researchers at the Helmholtz Center for Information Security in Germany (CISPA) said they were able to estimate the number of Chrome extensions interfering with security headers.
The research team stated that 186,434 Chrome extensions from the Chrome Web Store were analyzed using a custom framework created specifically for this study. It turned out that 2,485 extensions intercept and modify at least one security header used by the top 100 sites.
While 2,485 extensions disabled at least one header, the researchers found that another 553 extensions disabled all four security headers listed above. Most often, the CSP header was deactivated, designed so that site owners could control which resources a page is allowed to load in the browser, as well as typical protection that protects sites and browsers from XSS attacks and injections.
In most of the cases studied, extensions turned off CSP and other security headers “to introduce additional and seemingly harmless functionality on the web page being visited,” meaning these actions were not malicious in nature.
Let me remind you that I also wrote that Google introduces mandatory 2-Step Verification for Google Accounts.