A group of researchers from the University of Wisconsin-Madison has recently uncovered a potential security risk within Google Chrome extensions. They have developed a proof-of-concept extension, available on the Chrome Web Store, capable of extracting plaintext passwords from a website’s source code.
Upon scrutinizing the text input fields in web browsers, the researchers identified that Chrome extensions’ coarse-grained permission model contradicts the principles of least privilege and complete mediation.
Furthermore, their investigation revealed that numerous websites, some of them major portals like Google and Cloudflare, inadvertently store passwords in plaintext within their HTML source code. This practice inadvertently opens the door for extensions to retrieve these passwords.
The issue arises from the systemic practice of granting browser extensions unrestricted access to a site’s DOM tree, including potentially sensitive elements like user input fields.
Due to the absence of a robust security boundary between extensions and a website’s elements, extensions can freely access and extract the contents visible in the source code.
Additionally, extensions can exploit the DOM API to directly extract input values as users enter them, bypassing any obfuscation measures implemented by the website to safeguard sensitive data.
Google introduced the Manifest V3 protocol, which most browsers have adopted, to mitigate API abuse, prohibit extensions from fetching remote code that could evade detection, and prevent the use of eval statements leading to arbitrary code execution.
However, this protocol fails to introduce a security boundary between extensions and web pages, leaving the issue of content script vulnerabilities unresolved.
Subsequent measurements conducted by the researchers indicate that out of the top 10,000 websites (according to Tranco rankings), approximately 1,100 websites store user passwords in plaintext within the HTML DOM. An additional 7,300 websites from the same set were identified as vulnerable to DOM API access and direct extraction of user input values.
The research paper, released by the University of Wisconsin-Madison team, asserts that roughly 12.5% of the extensions available in the Chrome Web Store, totaling approximately 17,300 extensions, possess the necessary permissions to access sensitive information from websites.
Some widely used extensions, including ad blockers and shopping apps with millions of installations, are among those identified.
The report highlights several notable examples of websites lacking adequate protections:
- Gmail.com – Exposes plaintext passwords in the HTML source code.
- Cloudflare.com – Exposes plaintext passwords in the HTML source code.
- Facebook.com – Allows user inputs to be extracted via the DOM API.
- Citibank.com – Allows user inputs to be extracted via the DOM API.
- IRS.gov – Social Security Numbers (SSNs) are visible in plaintext on the web page’s source code.
- Capitalone.com – SSNs are visible in plaintext on the web page’s source code.
- Usenix.org – SSNs are visible in plaintext on the web page’s source code.
- Amazon.com – Credit card details (including security codes) and ZIP codes are visible in plaintext on the page’s source code.
Additionally, the analysis uncovered 190 extensions, some with over 100,000 downloads, that directly access password fields and store values in a variable, raising concerns about potential exploitation of this security gap.
Google has acknowledged the issue and is currently investigating it. They refer to Chrome’s Extensions Security FAQ, which does not categorize access to password fields as a security problem as long as the relevant permissions are appropriately obtained.