Researchers have managed to create a Chrome extension capable of stealing plaintext passwords from popular websites.
Chrome extensions tend to be very valid tools to make the browser much more interesting, but it is also known that many of them can end up being dangerous, even capable of knowing the passwords that we store in our browser.
And a team of researchers from the University of Wisconsin Madison has been able to create a Chrome extension, which is capable of stealing passwords in plain text from the source code of virtually any website.
However, the researchers discovered that major websites such as those of Google, Cloudflare or Amazon store passwords in plain text within the HTML source code of their web pages, allowing these types of extensions to retrieve them.
They explain that the problem is the practice of giving chrome extensions access to the DOM tree of the sites you load by allowing them to access sensitive elements such as user input fields.
arxiv.org
With this, the extension would have unlimited access to the data visible in the source code and can even extract any of the content.
Although they explain that Google Chrome’s Manifest V3 protocol prohibits extensions from obtaining remotely hosted code, it does not introduce a security boundary between extensions and web pages, so the problem with content scripts persists, they clarify. the researchers.
So, as we said, the researchers created an extension of Chrome test, to obviously demonstrate the dangers that exist in this regard and managed to pass the different security lines until being accepted in the Chrome Web Store itself.
The extension was always set to unpublished, so that no user could download it at the time it was made available.
The researchers claim in their white paper that approximately 17,300 extensions available on the Chrome Web Store get the necessary permissions to extract sensitive information from websites.