More Reasons to Ditch Your Browser Extensions

As reported today, May 26, 2021 in the Record, a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security analyzed 186,434 Chrome browser extensions, finding 2,485 that disabled at least one security header used by the top 100 most popular websites.

Security headers are a server response to the browser request that allows site administrators to enable security features inside the browser or other client applications. the most common security headers include the ability to have a site work via an encrypted HTTPS connection, protecting users from cross-site scripting attacks, and that code running inside iframes can’t steal browser data.

What We Can Do About The Issue

Unfortunately, the list of culprit extensions is not included in the report, nor was any significant work performed on Firefox extensions. However, this serves as a solid reminder to keep browser extensions to the bare minimum.

  1. Open your browser to the Extensions page.
  2. Research each found extension.
  3. If the extension is from a suspect developer or does not provide essential services to you, delete the extension.
  4. Repeat for each browser in use.

The research paper titled First, Do No Harm: Studying the manipulation of security headers in browser extensions is available here.