Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Lots of extensions for Google Chrome interfere with security headers

Now Reading
Lots of extensions for Google Chrome interfere with security headers

Security researchers have found that thousands of extensions for Google Chrome from the official Chrome Web Store change security headers on popular sites, thereby putting users at risk.

The experts explain that security headers are an important part of the internet today. Technically, they are HTTP responses sent by the server to a client application, such as a browser.

Every time a user accesses the site, the browser makes a request to the server, from which the site is then loaded. While the sites themselves are rendered using HTML, JavaScript, and CSS, administrators can add additional settings to the HTTP connection headers so that the user’s browser handles the provided content in a specific way.

Security headers are a type of HTTP response that allows site administrators to enable and configure security features in a user’s browser and in other client applications.

“Some of the most common headers are commonly used by site operators to ensure that the resource is running over HTTPS, users are protected from XSS attacks, and the code inside the iframe cannot steal data”, — experts explain.

In a paper presented as part of the MADWeb workshop at the NDSS 2021 security conference, researchers at the Helmholtz Center for Information Security in Germany (CISPA) said they were able to estimate the number of Chrome extensions interfering with security headers.

The research team stated that 186,434 Chrome extensions from the Chrome Web Store were analyzed using a custom framework created specifically for this study. It turned out that 2,485 extensions intercept and modify at least one security header used by the top 100 sites.

Extensions for Google Chrome

The experts did not focus on all security headers, but only on the four most common: Content-Security Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options.

While 2,485 extensions disabled at least one header, the researchers found that another 553 extensions disabled all four security headers listed above. Most often, the CSP header was deactivated, designed so that site owners could control which resources a page is allowed to load in the browser, as well as typical protection that protects sites and browsers from XSS attacks and injections.

Extensions for Google Chrome

In most of the cases studied, extensions turned off CSP and other security headers “to introduce additional and seemingly harmless functionality on the web page being visited,” meaning these actions were not malicious in nature.

Let me remind you that I also wrote that Google introduces mandatory 2-Step Verification for Google Accounts.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response