In context: Google Chrome owes a large part of its popularity to the hundreds of extensions that expand its functionality and even make browsing safer for children and adults alike. However, many of the extensions can also retrieve private content, such as emails or banking details, making them a potential privacy nightmare for millions of users. Now, a group of cybersecurity researchers has proven that people need to be judicious while installing extensions, as not all of them are safe to use.
Researchers from the University of Wisconsin-Madison have created a proof-of-concept Chrome extension that is capable of stealing plaintext passwords from the HTML source codes of virtually any website. A paper published by the researchers last week detailed how a comprehensive analysis of the security of text input fields in web browsers revealed that their “coarse-grained permission model violates two security de-sign principles: least privilege and complete mediation.”
The researchers also uncovered two vulnerabilities in input fields, including the discovery of passwords in plaintext within the HTML source of code of popular websites, such as gmail.com. Other major websites that also store plaintext passwords within their HTML source code include Cloudflare, Facebook, Amazon, Citibank, Capital One, and more. What makes it worse is that around 12.5 percent of the extensions on the Chrome web store possess the necessary permissions to exploit these vulnerabilities, and they include some of the most popular ad blockers and shopping add-ons.
As reported by Bleeping Computer, browser extensions often have unrestricted access to the DOM tree of sites they load on, potentially creating a privacy hazard for users. That’s because the DOM API allows accessing sensitive elements such as user input fields, leaving the door open for unscrupulous developers to abuse it to extract confidential information entered by the user, bypassing all security measures employed by the site.
To mitigate the risks, the researchers proposed two countermeasures that they believe will greatly reduce the risk of private user information being accessed by unauthorized sources. Firstly, website developers should use a JavaScript package to protect sensitive input fields, and secondly, users should get a warning message from their browser every time an extension accesses those fields.
It is worth noting that the Manifest V3 protocol used by most modern browsers restricts API abuse to some degree by preventing extensions from fetching code hosted remotely. Measures are also in place to prohibit the use of eval statements that can be used to inject code into webpages dynamically, but the researchers believe that these steps are not enough to safeguard sensitive user information.