Shubham Agarwal (Saarland University), Ben Stock (CISPA Helmholtz Center for Information Security)

[NOTE: The authors of this paper found critical errors in their methodology after it was presented and published at the workshop and asked to withdraw the paper from the proceedings. As such, in the current version, we mark the paper as incorrect to help future research not repeating the same mistakes. We hope the authors will repeat their measurements with a fixed approach in future.]

Browser extensions are add-ons that aim to enhance the functionality of native Web applications on the client side. They intend to provide a rich end-user experience by leveraging feature-rich privileged JavaScript APIs, otherwise inaccessible for native applications. However, numerous large-scale investigations have also reported that extensions often indulge in malicious activities by exploiting access to these privileged APIs such as ad injection, stealing privacy-sensitive data, user fingerprinting, spying user activities on the Web, and malware distribution. In this work, we instead focus on tampering with security headers. To that end, we analyze over 186K Chrome extensions, publicly available on the Chrome Web Store, to detect extensions that actively intercept requests and responses and tamper with their security headers by either injecting, dropping, or modifying them, thereby undermining the security guarantees that these headers typically provide. We propose an automated framework to detect such extensions by leveraging a combination of static and dynamic analysis techniques. We evaluate our proposed methodology by investigating the extensions’ behavior against Tranco Top 100 domains and domains targeted explicitly by the extensions under test and report our findings. We observe that over 2.4K extensions actively tamper with at least one security header, undermining the purpose of the server-delivered, client-enforced security headers.

View More Papers

When DNS Goes Dark: Understanding Privacy and Shaping Policy...

Vijay k. Gurbani and Cynthia Hood ( Illinois Institute of Technology), Anita Nikolich (University of Illinois), Henning Schulzrinne (Columbia University) and Radu State (University of Luxembourg)

Read More

FlowLens: Enabling Efficient Flow Classification for ML-based Network Security...

Diogo Barradas (INESC-ID, Instituto Superior Técnico, Universidade de Lisboa), Nuno Santos (INESC-ID, Instituto Superior Técnico, Universidade de Lisboa), Luis Rodrigues (INESC-ID, Instituto Superior Técnico, Universidade de Lisboa), Salvatore Signorello (LASIGE, Faculdade de Ciências, Universidade de Lisboa), Fernando M. V. Ramos (INESC-ID, Instituto Superior Técnico, Universidade de Lisboa), André Madeira (INESC-ID, Instituto Superior Técnico, Universidade de…

Read More

Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing

Jinghan Wang (University of California, Riverside), Chengyu Song (University of California, Riverside), Heng Yin (University of California, Riverside)

Read More