Malicious Chrome extensions can steal plaintext passwords

Researchers at the University of Wisconsin-Madison have created and uploaded a proof of concept browser extension to the Chrome Web Store that can manipulate text input fields in websites. Why would a group of researchers do such a thing? That would be to show that it’s possible to upload such an extension to Chrome’s Web Store without breaching the browser’s current security and privacy standard, Manifest V3. If this extension can steal passwords and still be approved, there’s no telling how many seemingly legit and safe currently available extensions can do the same.

How this is possible

Most people use at least a couple of browser extensions to improve their online browsing experience, ad blockers and antiviruses being typical examples. The issue is that to do a good job, browser extensions must have a high degree of access to the webpage and browser. This can pose a security issue if an extension has been created by a malicious party.

To combat this issue, Google created the Manifest V3 standard, which Microsoft Edge and Mozilla Firefox also use. According to Malwarebytes, the standard prevents extensions from downloading code from remote websites, which can stop extensions from changing their functionality after installation. Despite this, researchers found that it is still possible to steal passwords despite passing Chrome’s review process, and Manifest V3 does not add a security boundary between extensions and web pages.

The potential password theft issue

Researchers found that the main issue lies with something called Document Object Model (DOM). DOM is a way of representing the objects that make up the structure and content of a document on the web, such as a web page. This data is usually presented in a tree structure with nodes representing each document element. Browser extensions often have unrestricted access to the DOM of each page a user visits. With this access comes the potential to modify the web page, including text input fields where people enter their passwords. 

The Chrome extension created by the researchers specifically targets this issue on websites. This extension claimed to be a “GPT-based assistant offering ChatGPT-like functions on websites” so that it could ask for permission to run on all websites a user visited. They then investigated the possibility of modifying web pages with varying results. Whether or not it works also depends on how a web page is designed. Worryingly, they have found that most of the top 10,000 sites on the web are vulnerable, including cloudfare.com, facebook.com, and amazon.com.

The researchers then analyzed extensions currently available in Chrome’s web store to check which had the capabilities to carry out these techniques. They found that 12.5% of extensions had the necessary permissions to potentially exploit the password field, with 190 extensions having direct access to password fields. 

Possible solutions

The researchers suggest two potential solutions for remedying the issue that they describe as bolt-on and built-in. The bolt-on solution is a JavaScript package that web developers can use to protect sensitive input fields on a webpage. The built-in solution is an add-on for browsers that prevents extensions from unrestricted access to sensitive input fields.
BleepingComputer contacted many of the impacted companies for comment, including Google. A spokesperson confirmed to the publication that they’re looking into these findings but pointed out that Chrome policy doesn’t necessarily consider access to password fields a security problem if the extensions previously obtained the proper permissions.

Share on Twitter, Facebook, Google+