The researchers’ proof-of-concept extension also demonstrated the ability to manipulate the DOM API to extract text from an input field while a user is typing. This method bypasses any security measures implemented by websites to conceal sensitive text, such as passwords.
Despite Google’s recent launch of the Manifest V3 protocol for Chrome extensions, which aims to restrict abuse of APIs, prevent arbitrary code execution, and limit extensions’ use of remote code to avoid detection, the researchers argue that it does not provide adequate protection between extensions and web pages. Consequently, content scripts remain vulnerable.
