Compounding the issue, the researchers found that several popular websites, including Gmail, Facebook, and Amazon, store user passwords in plaintext within the HTML code of their pages. This makes it possible for extensions to access and potentially misuse these passwords.
One critical finding highlighted by the researchers is that extensions often have unrestricted access to websites’ DOM (Document Object Model) trees. This unrestricted access enables them to inspect the content of text input fields and a page’s source code, with no protective buffer in place between the extension and the website’s code to prevent such access.