Chrome Extensions Expose Major Security Flaw, Endangering Data of Millions of Users

According to a startling revelation from researchers at the University of Wisconsin-Madison, Google Chrome extensions have been found capable of stealing plaintext passwords directly from websites.

A significant proportion of popular websites, including notable portals, were found embedding plaintext passwords in the HTML source code of their web pages, rendering millions of users vulnerable to cyber threats.

The core issue arises from the widespread practice of bestowing excessive permissions on browser extensions. These permissions grant unrestrained access to the DOM tree of loaded websites, providing extensions with unfettered access to potentially sensitive data, such as user input fields.

According to the University team, the simplistic permission model that underpins Chrome extensions fundamentally conflicts with the principles of least privilege and complete mediation. This means extensions can access data visible in a website's source code and bypass obfuscation measures that websites set up to shield sensitive data.

Demonstrating the magnitude of the risk, the research team uploaded a proof-of-concept (PoC) extension to the Chrome Web Store disguised as a GPT-based assistant. The extension had the capability to:

1. Capture the HTML source code when users tried to log in, using regex.
2. Use CSS selectors to pinpoint specific input fields and glean user input through the ".value" function.
3. Swap JS-based obfuscated fields with unprotected password fields via element substitution.

This PoC extension, although lacking overtly malicious code, was adept at data extraction, and easily circumvented Google's static detection tools.

Alarmingly, it also complied with Google Chrome's Manifest V3 protocol, a recent implementation meant to curb API abuse. Despite these safeguards, the extension made its way past Google's security review and was briefly hosted on the Chrome Web Store before researchers withdrew it.

Based on the researchers' detailed paper, a staggering 1,100 of the top 10,000 websites risk exposing plaintext passwords stored within the HTML DOM.

An additional 7,300 websites are susceptible to DOM API access, paving the way for cyber adversaries to steal users' raw input values. To compound this security nightmare, about 17,300 extensions currently on the Chrome Web Store have the permissions necessary to siphon off sensitive user data.

In light of these findings, users are urged to exercise caution while downloading extensions and to regularly update their passwords. Chrome's security teams, along with other browser developers and website owners, will undoubtedly face pressure to enhance their extension security protocols to tackle this pervasive and deeply concerning issue.