Breaking the Barrier: The Risks of Unrestricted Chrome Extension Access

Reading Time: ( Word Count: )

September 3, 2023

Researchers from the University of Wisconsin-Madison have demonstrated a significant security flaw within the Chrome Web Store by launching a proof-of-concept extension capable of extracting plaintext passwords from web pages.

Upon close inspection of web browser text input fields, it became evident that the foundational permissions governing Chrome extensions can often compromise the security ideals of minimal access and comprehensive control.

Alarmingly, many popular websites, including certain Google and Cloudflare platforms, embed passwords as plaintext in their HTML source code. This oversight enables certain browser extensions to extract them effortlessly. The key issue stems from allowing browser extensions blanket access to the DOM tree of any loaded site, subsequently granting access to critical elements such as user input sections.

The root of the problem lies in the absence of a security barrier between an extension and the elements of a website. This unrestricted access permits extensions to mine data from the source code freely.

Moreover, these extensions can manipulate the DOM API to directly pull values from user inputs, even sidestepping any protective measures websites might employ, thus programmatically swiping the data.

Also Read: 

Also Read: From Emails to Passwords: Sensitive Data Leak at NSC National Safety Council

The Risks of Unrestricted Chrome Extension Access

Google Chrome’s newly introduced Manifest V3 protocol, now adopted by a majority of browsers, does curtail some exploitative behaviors of extensions. It restricts certain API misuses, bans extensions from sourcing code from external locations, and stops the use of potentially harmful eval statements.

However as these researchers point out, Manifest V3 does not add a protective layer between extensions and web pages, leaving the vulnerability with content scripts open.

Shockingly, this extension cleared Google Chrome’s Web Store’s security verification, spotlighting the inadequacy of their review mechanisms.

To uphold ethical guidelines, the researchers ensured no real data was harvested or exploited. They also restricted the extension’s availability and swiftly removed it post-approval.

A subsequent review revealed that a significant number of top websites (based on Tranco’s ranking) had plaintext password vulnerabilities or were susceptible to DOM API exploitation.

In a recent technical paper, the University of Wisconsin-Madison team disclosed that a sizable portion (12.5%) of extensions on the Chrome Web Store could potentially pull sensitive data from sites. Some of these extensions, including popular ad-blockers and shopping tools, have been downloaded millions of times.

A representative from Google has verified that they are investigating the issue. They directed attention to Chrome’s Extensions Security FAQ, which doesn’t view access to password fields as a security concern, provided the necessary permissions are appropriately secured.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...

Submit a Comment

Your email address will not be published. Required fields are marked *