Thousands of Chrome Extensions Play With User Safety

According to a study by computer security experts at the CISPA Helmholtz Center, tens of thousands of Google Chrome extensions knowingly remove HTTP security headers. These headers are designed to protect against a wide range of cyber-attacks.

Thousands of Chrome Extensions Play With User Safety

While Google Chrome 91 is still in beta, CISPA Helmholtz Center computer security researchers have chosen to study the Chrome Web Store's 186,000 extensions. What is the purpose of the maneuver? Check to see if these extensions block the use of security headers in HTTP connections.

As you can see, security is crucial. HTTP headers hinder several cyberattacks, such as providing altered data or exploiting various vulnerabilities. To prevent bad actors from intercepting your data as you surf, the HSTS (HTTP Strict Transport Security) header, for example, uses data encryption (SSL certificate).


Another example is the Public Key Pinning header, which protects you from unauthorized certificate issuance and, as a result, Man-in-the-Middle attacks, which are routinely used to steal access credentials or other sensitive information. CISPA Helmholtz Center researchers discovered that 2,485 extensions remove at least one of the four HTTP headers specified below:

  • The HSTS protocol
  • XFO (X-Frame options), which protects visitors to a site against the technique of clickjacking, also called clickjacking (allows the user to be redirected to content different from that chosen by the user)
  • The XCTO (X Content-Type Options), which protects the server against attempts to sniff MIME types (allows an attacker to perform certain dangerous operations against the site or the user)
  • The CSP (Content Security Policy) prevents an attacker from introducing malicious scripts on the main page of a site

The great feature is that 533 chrome extensions simultaneously remove all four headers. As the researchers point out, the designers of these extensions don't necessarily want to jeopardize the user's security. Instead, they prefer to do without these headers in order to provide more functionality in their program.

However, the end result is the same: users of these Google Chrome extensions are at a far higher risk of cyberattacks. On Windows 10 PCs, Google Chrome 90 was lately beset by a number of difficulties. Google quickly stated what needed to be done to fix the problem.

Post a Comment