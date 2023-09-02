A recent study conducted by researchers at the University of Wisconsin-Madison has uncovered a troubling security flaw in Google Chrome extensions. The researchers uploaded a proof-of-concept (PoC) extension to the Chrome Web Store that was able to steal plaintext passwords from a website’s source code.

The study revealed that the current permission model used by Chrome extensions violates the principles of least privilege and complete mediation. By examining the text input fields in web browsers, the researchers discovered that numerous websites, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code. This allows extensions to easily retrieve them.

The root of the problem lies in the practice of giving browser extensions unrestricted access to the Document Object Model (DOM) tree of the sites they load on. This allows them to access sensitive elements, such as user input fields. Since there is no security boundary between the extension and the site’s elements, the extension has unrestricted access to the data visible in the source code and can extract any content.

The recently introduced Manifest V3 protocol in Google Chrome aims to limit API abuse and prevent extensions from fetching code hosted remotely that could help evade detection. However, it does not address the lack of a security boundary between extensions and web pages, leaving the problem with content scripts unresolved.

To test the review process of the Chrome Web Store, the researchers created an extension that posed as a GPT-based assistant. The extension was capable of capturing the HTML source code, selecting target input fields, and extracting user inputs. It also performed element substitution to replace obfuscated fields with unsafe password fields. Despite not containing obvious malicious code and being Manifest V3-compliant, the extension passed the review process and was accepted on the Chrome Web Store, highlighting the failure of the security checks.

Further measurements revealed that approximately 1,100 of the top 10,000 websites store user passwords in plaintext within the HTML DOM. Another 7,300 websites were found to be vulnerable to DOM API access and direct extraction of user input values. The researchers also identified 17,300 extensions in the Chrome Web Store that have the permissions necessary to extract sensitive information from websites, including popular ad blockers and shopping apps.

The study highlighted several notable examples of websites lacking proper protections, such as gmail.com, cloudflare.com, facebook.com, citibank.com, and more. The researchers found that some extensions directly access password fields and store the values, indicating potential exploitation of the security gap.

When reached for comment, Amazon emphasized their commitment to customer security and encouraged developers to follow best practices to protect users. Google acknowledged the matter and referred to Chrome’s Extensions Security FAQ, which does not consider access to password fields a security problem as long as the relevant permissions are obtained.

This study brings attention to the need for stronger security measures in Chrome extensions to protect user data. Website owners and extension developers should work together to ensure that sensitive information is properly safeguarded, and users should exercise caution when installing and using extensions.

