Researchers from the University of Wisconsin-Madison have demonstrated a significant security flaw within the Chrome Web Store by launching a proof-of-concept extension capable of extracting plaintext passwords from web pages.

Upon close inspection of web browser text input fields, it became evident that the foundational permissions governing Chrome extensions can often compromise the security ideals of minimal access and comprehensive control.

Alarmingly, many popular websites, including certain Google and Cloudflare platforms, embed passwords as plaintext in their HTML source code. This oversight enables certain browser extensions to extract them effortlessly. The key issue stems from allowing browser extensions blanket access to the DOM tree of any loaded site, subsequently granting access to critical elements such as user input sections.

The root of the problem lies in the absence of a security barrier between an extension and the elements of a website. This unrestricted access permits extensions to mine data from the source code freely.

Moreover, these extensions can manipulate the DOM API to directly pull values from user inputs, even sidestepping any protective measures websites might employ, thus programmatically swiping the data.

Also Read: 

Also Read: From Emails to Passwords: Sensitive Data Leak at NSC National Safety Council

Google Chrome’s newly introduced Manifest V3 protocol, now adopted by a majority of browsers, does curtail some exploitative behaviors of extensions. It restricts certain API misuses, bans extensions from sourcing code from external locations, and stops the use of potentially harmful eval statements.

However as these researchers point out, Manifest V3 does not add a protective layer between extensions and web pages, leaving the vulnerability with content scripts open.

Shockingly, this extension cleared Google Chrome’s Web Store’s security verification, spotlighting the inadequacy of their review mechanisms.

To uphold ethical guidelines, the researchers ensured no real data was harvested or exploited. They also restricted the extension’s availability and swiftly removed it post-approval.

A subsequent review revealed that a significant number of top websites (based on Tranco’s ranking) had plaintext password vulnerabilities or were susceptible to DOM API exploitation.

In a recent technical paper, the University of Wisconsin-Madison team disclosed that a sizable portion (12.5%) of extensions on the Chrome Web Store could potentially pull sensitive data from sites. Some of these extensions, including popular ad-blockers and shopping tools, have been downloaded millions of times.

A representative from Google has verified that they are investigating the issue. They directed attention to Chrome’s Extensions Security FAQ, which doesn’t view access to password fields as a security concern, provided the necessary permissions are appropriately secured.