There are reports that some of the extensions distributed on the Chrome Web Store contain a lot of malware disguised as an ad blocker and stealing personal information. According to the CISPA study, a security research group, more than 2,000 Google Chrome extensions have been found to have the ability to manipulate security headers.
When accessing a website, the web browser receives security headers from the server, such as HTTP Strict Transport Security (HSTS), which requires HTTPS communication, and CSP, a content security policy that mitigates attacks from outside. Although these security headers are being adopted by many websites, they can also be targeted by attackers. The research team investigated whether there was an effect on Google Chrome extension plug-ins by targeting 4 types of security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options).
As a result of the investigation, it was found that 2,485 of the 186,434 plugins distributed on the Chrome Web Store changed at least one type of security header. Another 533 were found to change all four security headers. The most modified security header is CSP, and it is said that other security headers have also been changed in more than 1,000 plugins.
According to the research team, most of the security header changes by plugins were intended to improve the user experience and were not malicious. However, the research team is objecting to manipulating the security header, saying that changing the security header may expose users to attack risks. Related information can be found here.