Browser Extension Security Flaws Exposed
No attachments for this post
Researchers from the University of Wisconsin-Madison have showcased a Chrome extension that could potentially swipe plaintext passwords straight from websites' source codes. This alarming discovery points to two key vulnerabilities:
Flawed Permission Model: Chrome extensions operate on a permission model that doesn't always follow best security practices. This model tends to grant more access than necessary and doesn't properly oversee the actions of extensions.
Plaintext Password Storage: Several high-traffic websites, including some operated by Google and Cloudflare, store passwords plainly within their HTML code. This makes them accessible to browser extensions.
Understanding the Issue
The root cause lies in the unrestricted access given to browser extensions regarding the DOM tree of the sites they interact with. This means they can easily access sensitive information, like user inputs. Even with new protocols introduced by Google Chrome, such as Manifest V3, the security gap with content scripts persists.
Testing Google's Vigilance
The research team, aiming to evaluate Google's security measures, developed an extension mimicking a GPT-based assistant with the ability to:
- Capture login HTML codes.
- Use CSS selectors to target and extract user inputs.
Despite having potential security threats, the extension was approved for Google Chrome's Web Store. Although it was swiftly taken down post-approval, the test highlighted loopholes in the review process.
Extent of the Threat
A closer look revealed that of the top 10,000 websites, about 1,100 store passwords in clear text in their HTML DOM, and another 7,300 are susceptible to data extraction through the DOM API.
Furthermore, a shocking 17,300 extensions on the Chrome Web Store could potentially extract sensitive data from websites. Some of these include popular ad blockers and shopping apps with millions of downloads.
Websites at Risk
The research listed several major websites that are prone to this vulnerability:
- gmail.com and cloudflare.com have plaintext password visibility.
- facebook.com and citibank.com allow for user input extraction via the DOM API.
- irs.gov, capitalone.com, and usenix.org display Social Security Numbers openly.
- amazon.com exposes credit card and ZIP code details in plaintext.
Worryingly, around 190 extensions, some with over 100,000 downloads, have been identified to potentially exploit this vulnerability.
In summary, this research underscores the pressing need for improved browser extension security and better data protection measures by websites.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.