Shubham Agarwal (Saarland University), Ben Stock (CISPA Helmholtz Center for Information Security)

[NOTE: The authors of this paper found critical errors in their methodology after it was presented and published at the workshop and asked to withdraw the paper from the proceedings. As such, in the current version, we mark the paper as incorrect to help future research not repeating the same mistakes. We hope the authors will repeat their measurements with a fixed approach in future.]

Browser extensions are add-ons that aim to enhance the functionality of native Web applications on the client side. They intend to provide a rich end-user experience by leveraging feature-rich privileged JavaScript APIs, otherwise inaccessible for native applications. However, numerous large-scale investigations have also reported that extensions often indulge in malicious activities by exploiting access to these privileged APIs such as ad injection, stealing privacy-sensitive data, user fingerprinting, spying user activities on the Web, and malware distribution. In this work, we instead focus on tampering with security headers. To that end, we analyze over 186K Chrome extensions, publicly available on the Chrome Web Store, to detect extensions that actively intercept requests and responses and tamper with their security headers by either injecting, dropping, or modifying them, thereby undermining the security guarantees that these headers typically provide. We propose an automated framework to detect such extensions by leveraging a combination of static and dynamic analysis techniques. We evaluate our proposed methodology by investigating the extensions’ behavior against Tranco Top 100 domains and domains targeted explicitly by the extensions under test and report our findings. We observe that over 2.4K extensions actively tamper with at least one security header, undermining the purpose of the server-delivered, client-enforced security headers.

View More Papers

insecure:// Vulnerability Analysis of URI Scheme Handling in Android...

Abdulla Aldoseri (University of Birmingham) and David Oswald (University of Birmingham)

Read More

Debunking Exposure Notification

Serge Vaudenay, EPFL, Switzerland

Read More

Google/Apple Exposure Notification Due Diligence

Douglas Leith and Stephen Farrell (Trinity College Dublin)

Read More

Demo #7: Automated Tracking System For LiDAR Spoofing Attacks...

Yulong Cao, Jiaxiang Ma, Kevin Fu (University of Michigan), Sara Rampazzi (University of Florida), and Z. Morley Mao (University of Michigan) Best Demo Award Runner-up ($200 cash prize)!

Read More