CATEGORIES
home News

Google's Sloppy Approach To Browser Extensions Leaves You Vulnerable To Password Theft

by Nathan OrdMonday, September 04, 2023, 12:04 PM EDT
researchers show how extensions could extract passwords through security vulnerability
Recently, researchers from the University of Wisconsin–Madison assessed the security of text input fields for web browsers. This research discovered that some sites store passwords in plaintext in the HTML source code of the site, which browser extensions could abuse to steal the credentials.

The research, published on August 30th, explains that the problem lies with browser extensions and how permissions are traditionally handled. The current permissions system found across all browsers is a “coarse-grained approach, particularly with respect to access to web page content.” This means that once an extension is loaded onto a page, it has access to all elements. The researchers further explain that this lack of a security boundary could allow an extension to access and even maybe manipulate data in any input field on a webpage.

chart researchers show how extensions could extract passwords through security vulnerability

In December 2020, Google introduced Manifest V3, a change to the extensions platform, to close security loopholes and improve privacy and performance. Despite this, the researchers were able to create an extension that would extract sensitive input field values, which they were then able to upload to the Google Chrome web store as a ChatGPT-like assistant. While this extension was left as ‘unpublished’ in the store and was ethically handled, it still goes to show that it may not take much to upload a malicious browser extension.

vulns researchers show how extensions could extract passwords through security vulnerability
The differing vulnerabilities the researchers found in their assessment.

Following this success, the team sought to find sites that may be vulnerable to this kind of attack, scanning the top 10K websites. They found that 7,140 of these websites had password fields that could have data extracted, including Google, Cloudflare, Facebook, and others. The researchers further looked at what extensions could possibly abuse this and found that 12.5% or over 17,000 extensions have permission to extract information from all web pages.

At the end of the day, the researchers’ work shows that there is a systemic issue at hand that could put internet users at risk of having compromised accounts if that has not happened already. While there is a proposed solution for developers, end users should know and trust all of their extensions just as they would any other software. However, hopefully, this will not be much of a problem if proper security measures are implemented.
Tags:  Google, security, (nasdaq:goog)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment