Security researchers from the University of Wisconsin-Madison have unveiled a concerning vulnerability in Google Chrome extensions that could jeopardize user passwords. Their proof-of-concept extension demonstrated how passwords can be extracted in plaintext format from a website’s source code.
The researchers’ investigation focused on text input fields within web browsers and revealed that Chrome grants extensions more privileges than it should due to its coarse-grained permission model. This elevated access allows extensions to retrieve data from text input fields.
Compounding the issue, the researchers found that several popular websites, including Gmail, Facebook, and Amazon, store user passwords in plaintext within the HTML code of their pages. This makes it possible for extensions to access and potentially misuse these passwords.
One critical finding highlighted by the researchers is that extensions often have unrestricted access to websites’ DOM (Document Object Model) trees. This unrestricted access enables them to inspect the content of text input fields and a page’s source code, with no protective buffer in place between the extension and the website’s code to prevent such access.
The researchers’ proof-of-concept extension also demonstrated the ability to manipulate the DOM API to extract text from an input field while a user is typing. This method bypasses any security measures implemented by websites to conceal sensitive text, such as passwords.
Despite Google’s recent launch of the Manifest V3 protocol for Chrome extensions, which aims to restrict abuse of APIs, prevent arbitrary code execution, and limit extensions’ use of remote code to avoid detection, the researchers argue that it does not provide adequate protection between extensions and web pages. Consequently, content scripts remain vulnerable.
To test whether their extension would pass Google’s review process, the researchers uploaded it to the Chrome Web Store, disguising it as a ChatGPT assistant. Since their extension does not contain malicious code or fetch code from external sources, it aligns with Manifest V3’s requirements. Consequently, Google approved its inclusion in the store. However, the researchers did not misuse or access any user data and promptly removed the unpublished extension from the store.
According to the researchers, over a thousand of the world’s most popular websites store user passwords in plaintext within their HTML source code. Additionally, approximately 7,300 sites are vulnerable to DOM API access, enabling the direct extraction of user inputs. Furthermore, around 17,300 (12.5%) Chrome extensions have the legitimate capability to extract sensitive information via permissions granted to them by Google. Many of these extensions boast millions of installs and include popular ad blockers and shopping apps.
This revelation underscores the importance of user vigilance and web security practices, especially when dealing with browser extensions. Users are encouraged to exercise caution and review permissions granted to extensions to mitigate potential security risks.
