In recent findings, researchers from the University of Wisconsin-Madison have uncovered a troubling issue related to Chrome extensions. These small browser add-ons, while seemingly harmless, may have a hidden dark side – the ability to swipe plaintext passwords from websites.
The extensive permissions given to Chrome extensions are the root of the issue. These extensions can access private sections like user input fields thanks to their unfettered access to a website's Document Object Model (DOM) tree. In essence, there is no security barrier, allowing these extensions unrestricted access to the source code and the ability to steal whatever valuable information they come across.
You might wonder if Manifest V3, a recent update aimed at enhancing extension security, has resolved these issues. While it did introduce some security measures, it hasn't entirely prevented extensions from accessing web pages. The problem with content scripts remains unaddressed, allowing extensions to continue their clandestine activities.
The researchers created a Chrome extension as a proof-of-concept to evaluate the efficacy of Google's Web Store approval procedure. When users attempted to log in, this seemingly harmless plugin pretended to be a helpful helper capable of grabbing HTML source code. It cherry-picked target input fields and covertly extracted user inputs using CSS selectors. Even more impressively, the plugin replaced regular, insecure password fields with JavaScript-based obfuscated fields.
Surprisingly, the extension passed Google's Web Store review and was accepted without hiccups. Despite its potentially malicious capabilities, it managed to evade static detection and didn't fetch code from external sources, making it Manifest V3-compliant.
The researchers adhered to ethical guidelines, ensuring no accurate data was gathered or utilized improperly. While turning off the data-receiving server, they kept the element-targeting server running. The extension was also swiftly taken off the store after completing its research goals and maintained in an "unpublished" condition to prevent it from receiving a lot of downloads.
A broader analysis revealed that approximately 17,300 extensions in the Chrome Web Store (equivalent to 12.5% of all attachments) possess the necessary permissions to extract sensitive information from websites. Some of these extensions, including widely used ones like ad blockers and shopping apps, boast millions of installations.
Additionally, among the top 10,000 websites, the researchers found roughly 1,100 that store user passwords in plaintext within the HTML DOM. 7,300 more websites were discovered to be DOM API accessible vulnerabilities, enabling extensions to collect user input information.
The situation becomes even more concerning when considering popular websites such as Gmail, Cloudflare, Facebook, Citibank, IRS, Capital One, USenix, and Amazon. These sites exhibit vulnerabilities, from plaintext passwords to visible Social Security Numbers (SSNs) and credit card details in the page's source code.
Although the seriousness of the matter is apparent, it is unclear how businesses and browser developers will handle these issues. Amazon has emphasized its dedication to client security, and Google is actively looking into the situation. As we navigate this intriguing and unsettling landscape, the question remains: Are Chrome extensions our guardians or silent thieves in online security?
Read next: US Security Firms Issue Increased Phishing Warnings As Employees Prepare To Work From Home For Big Labor Day Weekend
The extensive permissions given to Chrome extensions are the root of the issue. These extensions can access private sections like user input fields thanks to their unfettered access to a website's Document Object Model (DOM) tree. In essence, there is no security barrier, allowing these extensions unrestricted access to the source code and the ability to steal whatever valuable information they come across.
You might wonder if Manifest V3, a recent update aimed at enhancing extension security, has resolved these issues. While it did introduce some security measures, it hasn't entirely prevented extensions from accessing web pages. The problem with content scripts remains unaddressed, allowing extensions to continue their clandestine activities.
The researchers created a Chrome extension as a proof-of-concept to evaluate the efficacy of Google's Web Store approval procedure. When users attempted to log in, this seemingly harmless plugin pretended to be a helpful helper capable of grabbing HTML source code. It cherry-picked target input fields and covertly extracted user inputs using CSS selectors. Even more impressively, the plugin replaced regular, insecure password fields with JavaScript-based obfuscated fields.
Surprisingly, the extension passed Google's Web Store review and was accepted without hiccups. Despite its potentially malicious capabilities, it managed to evade static detection and didn't fetch code from external sources, making it Manifest V3-compliant.
The researchers adhered to ethical guidelines, ensuring no accurate data was gathered or utilized improperly. While turning off the data-receiving server, they kept the element-targeting server running. The extension was also swiftly taken off the store after completing its research goals and maintained in an "unpublished" condition to prevent it from receiving a lot of downloads.
A broader analysis revealed that approximately 17,300 extensions in the Chrome Web Store (equivalent to 12.5% of all attachments) possess the necessary permissions to extract sensitive information from websites. Some of these extensions, including widely used ones like ad blockers and shopping apps, boast millions of installations.
Additionally, among the top 10,000 websites, the researchers found roughly 1,100 that store user passwords in plaintext within the HTML DOM. 7,300 more websites were discovered to be DOM API accessible vulnerabilities, enabling extensions to collect user input information.
The situation becomes even more concerning when considering popular websites such as Gmail, Cloudflare, Facebook, Citibank, IRS, Capital One, USenix, and Amazon. These sites exhibit vulnerabilities, from plaintext passwords to visible Social Security Numbers (SSNs) and credit card details in the page's source code.
Although the seriousness of the matter is apparent, it is unclear how businesses and browser developers will handle these issues. Amazon has emphasized its dedication to client security, and Google is actively looking into the situation. As we navigate this intriguing and unsettling landscape, the question remains: Are Chrome extensions our guardians or silent thieves in online security?
Read next: US Security Firms Issue Increased Phishing Warnings As Employees Prepare To Work From Home For Big Labor Day Weekend
