To test whether their extension would pass Google’s review process, the researchers uploaded it to the Chrome Web Store, disguising it as a ChatGPT assistant. Since their extension does not contain malicious code or fetch code from external sources, it aligns with Manifest V3’s requirements. Consequently, Google approved its inclusion in the store. However, the researchers did not misuse or access any user data and promptly removed the unpublished extension from the store.
According to the researchers, over a thousand of the world’s most popular websites store user passwords in plaintext within their HTML source code. Additionally, approximately 7,300 sites are vulnerable to DOM API access, enabling the direct extraction of user inputs. Furthermore, around 17,300 (12.5%) Chrome extensions have the legitimate capability to extract sensitive information via permissions granted to them by Google. Many of these extensions boast millions of installs and include popular ad blockers and shopping apps.
