Chrome extensions can steal plaintext passwords from websites.

Researchers from the University of Wisconsin-Madison have developed a prototype extension for the Chrome Web Store. The tool allows for the retrieval of plaintext passwords from a source code of any given website. Upon examining the input fields in web browsers, the scholars identified the violation of least privilege and complete mediation principles from Chrome's extensions. Their further investigation uncovered that an array of popular sites such as Google and Cloudflare portals store plaintext passwords within their HTML source code, therefore making it possible for extensions to gain access and obtain sensitive information.

Source of the problem.

Researchers have found a security issue with browser extensions that allows them to access sensitive elements on websites. This unrestricted access lets extensions extract data from the source code and steal user input values. Google Chrome's Manifest V3 protocol aims to address these concerns, but it does not establish a security boundary between extensions and web pages, meaning the problem still exists.

Uploading a PoC on the web store.

The researchers created a Chrome extension capable of password-grabbing attacks to test Google's Web Store review process.

Using a GPT-based assistant, the researchers created an extension that:

1. Use a regex to extract the HTML source code during a login attempt by the user on a webpage.

2. Utilize CSS selectors to pinpoint desired fields for input and retrieve user-provided information through the application of the 'value' function.

3. Perform element substitution to replace JS-based obfuscated fields with an unsafe password.

This extension doesn't feature any visible harmful coding, which makes it undetectable using conventional scanning methods. Furthermore, it doesn't draw any code from alternative sources dynamically, thus meeting the requirements of Manifest V3.

The extension passed security checks on the Web Store due to ethical practices but was promptly removed after approval.

Potential for exploitation.

Approximately 1,100 top websites store user passwords in plain text, while 7,300 are vulnerable to data extraction. 

According to a recent technical publication by the University of Wisconsin-Madison, around 12.5% of the extensions available in the Chrome Web Store, which amounts to roughly 17,300 extensions, possess the necessary permissions to retrieve sensitive data from websites.

The report brings attention to the absence of safeguards on notable websites, such as widely used ad blockers and shopping apps, which have amassed millions of installations.

Notable website examples of lack of protections highlighted in the report include:

• gmail.com – plaintext passwords on HTML source code.
• cloudflare.com – plaintext passwords on HTML source code.
• facebook.com – user inputs can be extracted via the DOM API.
• citibank.com – user inputs can be extracted via the DOM API.
• irs.gov – SSNs are visible in plaintext form on the web page source code.
• capitalone.com – SSNs are visible in plaintext form on the web page source code.
• usenix.org – SSNs are visible in plaintext form on the web page source code.
• amazon.com – credit card details (including security code) and ZIP code are visible in plaintext form on the page's source code.

Don't wait until it's too late to protect yourself from these cyber risks. Reach out to us today at -info@logixal.co.uk  to fortify your defenses and keep your sensitive information out of the wrong hands.