Breaking the Barrier: The Risks of Unrestricted Chrome Extension Access

Reading Time: ( Word Count: )

September 3, 2023

Researchers from the University of Wisconsin-Madison have demonstrated a significant security flaw within the Chrome Web Store by launching a proof-of-concept extension capable of extracting plaintext passwords from web pages.

Upon close inspection of web browser text input fields, it became evident that the foundational permissions governing Chrome extensions can often compromise the security ideals of minimal access and comprehensive control.

Alarmingly, many popular websites, including certain Google and Cloudflare platforms, embed passwords as plaintext in their HTML source code. This oversight enables certain browser extensions to extract them effortlessly. The key issue stems from allowing browser extensions blanket access to the DOM tree of any loaded site, subsequently granting access to critical elements such as user input sections.

The root of the problem lies in the absence of a security barrier between an extension and the elements of a website. This unrestricted access permits extensions to mine data from the source code freely.

Moreover, these extensions can manipulate the DOM API to directly pull values from user inputs, even sidestepping any protective measures websites might employ, thus programmatically swiping the data.

Also Read: 

Also Read: From Emails to Passwords: Sensitive Data Leak at NSC National Safety Council

The Risks of Unrestricted Chrome Extension Access

Google Chrome’s newly introduced Manifest V3 protocol, now adopted by a majority of browsers, does curtail some exploitative behaviors of extensions. It restricts certain API misuses, bans extensions from sourcing code from external locations, and stops the use of potentially harmful eval statements.

However as these researchers point out, Manifest V3 does not add a protective layer between extensions and web pages, leaving the vulnerability with content scripts open.

Shockingly, this extension cleared Google Chrome’s Web Store’s security verification, spotlighting the inadequacy of their review mechanisms.

To uphold ethical guidelines, the researchers ensured no real data was harvested or exploited. They also restricted the extension’s availability and swiftly removed it post-approval.

A subsequent review revealed that a significant number of top websites (based on Tranco’s ranking) had plaintext password vulnerabilities or were susceptible to DOM API exploitation.

In a recent technical paper, the University of Wisconsin-Madison team disclosed that a sizable portion (12.5%) of extensions on the Chrome Web Store could potentially pull sensitive data from sites. Some of these extensions, including popular ad-blockers and shopping tools, have been downloaded millions of times.

A representative from Google has verified that they are investigating the issue. They directed attention to Chrome’s Extensions Security FAQ, which doesn’t view access to password fields as a security concern, provided the necessary permissions are appropriately secured.




Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon unintentionally dispatched purchase confirmation emails regarding, Google Play, and Mastercard ...
FBI Flags Escalating Trend of Paired Ransomware Threats

FBI Flags Escalating Trend of Paired Ransomware Threats

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding a rising trend of dual ransomware ...
Unraveling the Mystery Behind Discord’s Recent Block Message

Unraveling the Mystery Behind Discord’s Recent Block Message

Users of the renowned communication tool Discord were taken aback today when they were greeted with an alarming ...
Best Phishing Tools for Ethical Hacking in 2023

Best Phishing Tools for Ethical Hacking in 2023

Phishing is one of the most prevalent cyber threats today, seeking to exploit human vulnerabilities rather than ...

Submit a Comment

Your email address will not be published. Required fields are marked *