Researchers unveil Chrome extension capable of stealing plaintext passwords from websites

Researchers from the University of Wisconsin-Madison have developed a proof-of-concept Chrome extension capable of stealing plaintext passwords from a website's source code. The extension was uploaded to the Chrome Web Store to illustrate the potential security risks associated with the use of browser extensions.

Chrome extensions are a versatile tool, enhancing browser functionality and user experience. However, the security of these extensions varies greatly. Some can pose significant threats, accessing and stealing personal data, including passwords.

The research team's report identified several high-profile websites, including Gmail, Facebook, Cloudflare, and Amazon, which lack certain security protections. The issue stems from the widespread practice of granting browser extensions unrestricted access to a site's Document Object Model (DOM) tree. This access allows extensions to reach sensitive elements, such as user input fields.

Without a security boundary between a site's elements and the extension, the latter can freely access data within the source code and extract its contents. Measurements taken during the study showed that approximately 1,100 of the top 10,000 websites, as ranked by Tranco, store user passwords in plaintext within the HTML DOM. Additionally, around 7,300 of these websites are susceptible to DOM API access and direct extraction of user input values.

The study also found that 190 extensions, some with over 100,000 downloads, directly access password fields and store values in a variable. This could imply that some extension publishers are already exploiting this security gap.