Rogue Chrome extensions can steal passwords from websites such as Gmail, Amazon & Facebook


Posts: 219   +2
In context: Google Chrome owes a large part of its popularity to the hundreds of extensions that expand its functionality and even make browsing safer for children and adults alike. However, many of the extensions can also retrieve private content, such as emails or banking details, making them a potential privacy nightmare for millions of users. Now, a group of cybersecurity researchers has proven that people need to be judicious while installing extensions, as not all of them are safe to use.

Researchers from the University of Wisconsin-Madison have created a proof-of-concept Chrome extension that is capable of stealing plaintext passwords from the HTML source codes of virtually any website. A paper published by the researchers last week detailed how a comprehensive analysis of the security of text input fields in web browsers revealed that their "coarse-grained permission model violates two security de-sign principles: least privilege and complete mediation."

The researchers also uncovered two vulnerabilities in input fields, including the discovery of passwords in plaintext within the HTML source of code of popular websites, such as Other major websites that also store plaintext passwords within their HTML source code include Cloudflare, Facebook, Amazon, Citibank, Capital One, and more. What makes it worse is that around 12.5 percent of the extensions on the Chrome web store possess the necessary permissions to exploit these vulnerabilities, and they include some of the most popular ad blockers and shopping add-ons.

As reported by Bleeping Computer, browser extensions often have unrestricted access to the DOM tree of sites they load on, potentially creating a privacy hazard for users. That's because the DOM API allows accessing sensitive elements such as user input fields, leaving the door open for unscrupulous developers to abuse it to extract confidential information entered by the user, bypassing all security measures employed by the site.

To mitigate the risks, the researchers proposed two countermeasures that they believe will greatly reduce the risk of private user information being accessed by unauthorized sources. Firstly, website developers should use a JavaScript package to protect sensitive input fields, and secondly, users should get a warning message from their browser every time an extension accesses those fields.

It is worth noting that the Manifest V3 protocol used by most modern browsers restricts API abuse to some degree by preventing extensions from fetching code hosted remotely. Measures are also in place to prohibit the use of eval statements that can be used to inject code into webpages dynamically, but the researchers believe that these steps are not enough to safeguard sensitive user information.

Permalink to story.

Oh how convenient, "Extensions are dangerous, even those ad blockers" is their new strategy since they had to back down from killing ad blockers by deprecating Manifest V2.

Now it's just good old Microsoft F.U.D. tactics: Lets try and scare people into accepting a browser without ad blockers and claim they're dangerous security risk. Let's just also not mention how ads themselves are often a far bigger security risk but since Google directly profits out of ads, legit or malicious, they wont mention how exponentially more unsafe is to browse without an ad blocker because they'll never admit they cannot possibly oversight their core business partners.

I'll just move to Chromium, enforce pihole, move to Firefox or quit the *(!@# internet before I ever run without ad blocking.
Extensions have access to potentially all data is known by EVERYONE. It is literally written on extensions page! As long as you are using open source extensions you are fine.

Also, nice try Google. However, Ad blockers are essential to browsing nowadays and it will be far more unsafe to browse without adblockers.