Chrome extensions can access website plaintext passwords

Researchers uncover vulnerabilities in Chrome extensions

Newly found Chrome vulnerability sends shockwaves throughout the community

A surprising proof-of-concept that was revealed by a team of researchers from the University of Wisconsin – Madison^[1] has shocked the digital world. They conducted a risky experiment by uploading a seemingly innocent extension to the Chrome Web Store that has the potential to seriously violate user privacy. Their invention could generate a discussion about the security of Chrome extensions and the risky practice of storing sensitive data in the open by covertly stealing plaintext passwords from websites.

At the heart of this revelation lies a fundamental problem – the existing permissions model of Chrome extensions. Numerous internet users are impacted by this issue, which goes against the ideas of complete mediation and least privilege.

The results of this research^[2] have far-reaching ramifications that raise critical issues regarding the security of our online interactions and the degree to which we can trust the digital technologies we've grown to rely on. This ground-breaking research invites us to explore further into the inner workings of browser extensions, ultimately advocating for stronger security safeguards and reevaluating how private data is handled online.

Chrome's permissions model

The study team learned, upon closer analysis, that numerous websites, including some of the most well-known ones, such as Google and Cloudflare portals, store passwords in plaintext within their HTML source code. This practice alone presents a serious security concern. The apparent unrestricted access that browser extensions are given to a website's Document Object Model (DOM) is what makes this problem worse.

The problem is that there is no security barrier between browser extensions and the web pages they interact with. It makes it alarmingly simple for extensions to access the website's source code and get private data like unencrypted passwords. Additionally, extensions may leverage the DOM API to programmatically harvest user inputs, circumventing whatever security safeguards the website may have in place.

The Manifest V3 standard, which Google implemented in an effort to reduce API misuse and improve security, didn't specifically address this issue. Despite the protocol's restrictions, the research team was able to produce a password-grabbing extension that easily passed Google's Web Store review process, revealing a significant flaw in the system.

Millions of users at risk

This vulnerability's extent is mind-boggling. Numerous websites are keeping user credentials in plaintext or are open to DOM API access, according to later measurements. Surprisingly, 12.5% of Chrome extensions available in the Web Store have access to the required rights to collect private data from websites. They include commonly used add-ons like shopping apps and ad filters, some of which have millions of installations.

The report also highlights a number of well-known websites that are vulnerable to this type of attack, including Gmail, Cloudflare, Facebook, Citibank, the IRS, Capital One, and others. In certain situations, the HTML source code contains plaintext passwords, user inputs, and even Social Security numbers.

The fact that 190 extensions, some of which have received over 100,000 downloads, directly access password fields and save values in variables raises concerns that nefarious actors may already be working to exploit this security hole.

Amazon reaffirmed its dedication to consumer security in reaction to these findings and also urged developers to follow security best practices. Google, on the other hand, is looking into the situation and referred users to Chrome's Extensions Security FAQ,^[3] which views access to password fields as secure as long as the required permissions are granted.

The question that remains is whether these discoveries will lead to broad-scale reforms in the industry that will improve the security of browser extensions and encourage websites to use safer practices. The need for action cannot be emphasized given the possible risk to millions of internet users.