A team of researchers from the University of Wisconsin-Madison has revealed a significant security concern in Google Chrome extensions. They uploaded a proof-of-concept extension to the Chrome Web Store, demonstrating how such extensions can steal plaintext passwords from a website’s source code.
Their examination found that Chrome extensions, due to the lack of a security boundary between them and web pages, can access sensitive elements like user input fields. Even after the introduction of Manifest V3 protocol in Chrome, which introduced some security measures, this issue remains, and potentially malicious extensions can abuse this access to extract user data.
To test the review process of Google’s Web Store, the researchers created a Chrome extension designed to perform password-grabbing attacks. They were successful in uploading it to the platform, even though the extension appeared to be benign. This highlights the challenge of detecting extensions with malicious intent, as the extension did not contain obvious harmful code and was compliant with Manifest V3.
The researchers found that around 1,100 out of the top 10,000 websites store user passwords in plaintext within the HTML DOM, while an additional 7,300 websites are vulnerable to DOM API access for direct extraction of user input values.
The study reveals a concerning gap in Chrome’s extension security, allowing potentially harmful extensions to access and steal user data. Despite some security measures introduced in Manifest V3, the lack of a security boundary between extensions and web pages remains a significant concern.
It is estimated that approximately 12.5% of extensions in the Chrome Web Store have permissions to extract sensitive information from websites, including widely used extensions with millions of installations. The research highlights the need for improved security measures and stricter review processes for Chrome extensions to protect user data and privacy.