Related: Google Chrome owes its popularity in large part to the hundreds of extensions that extend its functionality and even make browsing safer for kids and adults. However, many of the extensions can also retrieve private content such as emails or bank details, making them a potential privacy nightmare for millions of users. Now, a group of cybersecurity researchers has proved that caution should be exercised when installing extensions as not all of them are safe to use.
Researchers at the University of Wisconsin-Madison have developed a proof-of-concept Chrome extension capable of stealing plain-text passwords from the HTML source codes of virtually any website. A Paper The study, published by the researchers last week, detailed how a comprehensive analysis of the security of text entry fields in web browsers found that their “coarse-grained permissions model violates two security design principles: least privilege and full mediation.”
The researchers also discovered two vulnerabilities in input fields, including the detection of clear-text passwords in the HTML source code of popular websites such as gmail.com. Other major websites that also store clear-text passwords in their HTML source code include Cloudflare, Facebook, Amazon, Citibank, Capital One, and more. To make matters worse, about 12.5 percent of Chrome web store extensions have the necessary permissions to exploit these vulnerabilities and include some of the most popular ad blockers and shopping add-ons.
As reported by Bleeping Computer, browser extensions often have unrestricted access to the DOM tree of the websites they load on, potentially posing a threat to user privacy. That’s because the DOM API allows access to sensitive elements such as user input fields, leaving the door open for unscrupulous developers to abuse them to extract sensitive information entered by the user, thereby bypassing all security measures deployed by the website.
To mitigate the risks, the researchers proposed two countermeasures that they believe will significantly reduce the risk of unauthorized sources accessing private user information. First, website developers should use a JavaScript package to protect sensitive input fields, and second, users should receive a warning message from their browser every time an extension accesses these fields.
It’s worth noting that the Manifest V3 protocol used by most modern browsers limits API abuse to some extent by preventing extensions from calling remotely hosted code. There are also measures to prohibit its use evaluate However, instructions that allow code to be dynamically injected into web pages believe that these steps are insufficient to protect sensitive user information.