Recent research conducted by the University of Wisconsin-Madison, as detailed by BleepingComputer, has brought to light a disconcerting discovery concerning Chrome extensions. Despite Google’s stringent precautions, which include mandatory verification for extensions prior to publication, a significant security gap remains. Shockingly, it has been revealed that more than ten thousand Chrome extensions possess the capability to surreptitiously extract passwords stored within a website’s source code.
This investigation has unveiled a disquieting reality within the realm of cybersecurity. Google’s web browser seemingly affords extensions an unusually high degree of access, potentially enabling third parties to harvest sensitive information. The primary vulnerability lies in websites that house user data, including unencrypted plaintext usernames and passwords within their HTML code.
The crux of the issue centers around Chrome’s extensions, which enjoy unfettered access to DOM Trees, granting them the ability to scrutinize text input fields and delve deep into website source codes. What heightens the alarm is that these extensions can effectively record users’ keystrokes, thereby bypassing password security measures and encryption protocols implemented by websites.
Despite Google’s implementation of the Manifest V3 protocol for Chrome extensions, designed to prevent the execution of potentially harmful code, it lacks the necessary security mechanisms to govern interactions between extensions and websites. Consequently, an estimated 12.5% of Chrome extensions, totaling roughly 17,300 in number, possess the potential to exploit this vulnerability. This disconcerting category encompasses a wide array of extensions, ranging from ad blockers to shopping assistance applications, among others.