Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Chrome Security

Thousands of Chrome Extensions Are Tampering With Security Headers (therecord.media) 31

An anonymous reader quotes a report from The Record: Thousands of Google Chrome extensions available on the official Chrome Web Store are tampering with security headers on popular websites, putting users at risk of a wide range of web-based attacks. While they are a little-known technical detail, security headers are an important part of the current internet landscape. At a technical level, a security header is an HTTP response sent by the server to a client app, such as a browser. [...] In a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security said they tried to assess the number of Chrome extensions tampering with security headers for the very first time. Using a custom framework they built specifically for their study, the research team said they analyzed 186,434 Chrome extensions that were available on the official Chrome Web Store last year. Their work found that 2,485 extensions were intercepting and modifying at least one security header used by today's Top 100 most popular websites (as available in the Tranco list).

The study didn't focus on all security headers, but only on the four most common ones, such as: Content-Security Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. While 2,485 extensions disabled at least one, researchers said they found 553 disabling all the four security headers they analyzed in their research. The most commonly disabled security header was CSP, a security header that was developed to allow site owners to control what web resources a page is allowed to load inside a browser and a typical defense that can protect websites and browsers against XSS and data injection attacks. According to the research team, in most of the cases they analyzed, the Chrome extensions disabled CSP and other security headers "to introduce additional seemingly benign functionalities on the visited webpage," and didn't look to be malicious in nature. However, even if the extensions wanted to enrich a user's experience online, the German academics argued that by tampering with security headers, all the extensions did was to expose users to attacks from other scripts and sites running inside the browser and on the web.

This discussion has been archived. No new comments can be posted.

Thousands of Chrome Extensions Are Tampering With Security Headers

Comments Filter:
  • Bad design choices (Score:4, Interesting)

    by DarkOx ( 621550 ) on Wednesday May 26, 2021 @08:13AM (#61423618) Journal

    Extensions and JS APIs should probably not have much or any access to the protocol level. They should only be able to operate at the mess/document level.

    Obviously some minimal stuff like READ ONLY access to response headers, the ability to ADD custom request headers and URL parameters (obviously) is probably needed but you should not be able to modify any of the default request headers from what the browser ordinarily generates according to the usual rules.

    As long as the Browser has to be 'all the things' its going to always be a security black-hole.

    • by Errol backfiring ( 1280012 ) on Wednesday May 26, 2021 @09:02AM (#61423782) Journal

      Or bad design of the extensions. A lot of entries in our CSP violations log come from browser extensions injecting all kinds of crap into the visited web pages.Those injections should be done through an independent request, not injected as if the HTML of a page requests for it.

      I am surprised that such behaviour is not filtered out by the browser makers as malicious.

      I would argue against limiting any extension the access to headers, because that would also block extensions that let the user control those headers.

    • by reanjr ( 588767 ) on Wednesday May 26, 2021 @10:25AM (#61424104) Homepage

      I think there's a nice middle ground with appropriately presented security dialogs. If the extension asks me if I will allow it to "hijack private communications", I can make an informed decision.

    • by tlhIngan ( 30335 )

      Obviously some minimal stuff like READ ONLY access to response headers, the ability to ADD custom request headers and URL parameters (obviously) is probably needed but you should not be able to modify any of the default request headers from what the browser ordinarily generates according to the usual rules.

      That means you can never write a cookie manager, or a privacy manager because cookies are added to the HTTP header by the browser. A cookie manager will need to be able to delete those header entries to n

  • by Viol8 ( 599362 ) on Wednesday May 26, 2021 @08:47AM (#61423716) Homepage

    ie, be a dumb static text and graphics display system with maybe some basic input ability, and not become some kind of pseudo-OS with all the pitfalls that entails. If the browser stack was a half decent design it wouldn't be so bad but the appalling mashup of HTML, CSS, javascript and all the other poorly implemented "technologies" involved designed by 2nd raters and used by 3rd raters just makes things far worse than they should be.

    • by PPH ( 736903 )

      Which is what the browser is doing. But it seems that a bunch of extensions are fiddling with the 'content' (which I take to include the headers) before the browser gets it.

      • by Viol8 ( 599362 )

        Congrats on completely missing the point. If you didn't have javascript in the first place you couldn't have plug-ins to fiddle with the content.

  • by The Faywood Assassin ( 542375 ) <benyjr@@@yahoo...ca> on Wednesday May 26, 2021 @08:55AM (#61423754) Homepage

    So which extensions are we talking about here?

    I would like to be able to uninstall any offending extensions I may be using if we could see a list of these 2485 items.

  • er (Score:2, Informative)

    The whole point of browser extensions is to modify how the browser operates.

    If that's just too terrifying, then don't build a browser that allows extensions.

    • Don't force the user to make all-or-nothing decisions when granting/denying permissions.

      Developers are lazy (or malicious) and frequently ask for more than they need. I should be able to deny subsets of the requested rights and suffer the breakage that may incur or feedback about it.

  • There should not be thousands of extensions in the first place. That makes security auditing difficult and is a waste of time.

    There are not thousands of tasks requiring extensions. Adblocking, accessibility and other FUNCTIONALLY VALUABLE extensions are a worthy use of the ability to add them. That's not a huge number.

    It should not be a matter of "what is not excluded is permitted" but of "what is deemed necessary after thorough security review and functional justification" is permitted and those not liking

  • Does the world really need 186,434 Chrome extensions?
  • The big complaint I have with Chrome is how it allows extensions to just get installed/added without asking the user if the extension was authorized. Picture if programs could just install themselves in the background without your knowledge or intent, which is what Microsoft addressed with User Account Control back in the days of Vista. Firefox will verify that you meant to install a plugin or not, Chrome just lets any junk go in.

  • No shit Sherlock
  • Seriously.

    I've been building enterprise web apps for 20yrs, and at least 3/4 of them have had to fuck with these headers in *some* way to get around one bug or another.

    And that's for apps where the company owns everything: hardware, software, switches & data lines etc...

  • These security headers are a bad idea in the first place. At best they're telling the browser, "Pretty please follow these rules." The user *should* be able to install a browser extension that modifies the content, including headers, regardless of the advice of the web site sending it.

    Maybe the browser should have some sort of "I know what I'm doing" click-through before allowing the installation of such extensions. But if a user wants to arm the foot-gun in order to improve their experience, more power

Single tasking: Just Say No.

Working...