Thousands of Chrome extensions have the necessary permissions to extract sensitive information. A group of researchers from the University of Wisconsin-Madison, in the United States, assures that 12.5% of Chrome Web Store plugins are enabled to collect sensitive data of users, such as passwords or credit card numbers.
Extensions enhance the capabilities of web browsers by adding new features, modifying page content, or automating tasks to improve the user experience. Some, for example, manage access data, serve as productivity tools or help block ads.
These extensions achieve their goal by accessing the content of the websites and manipulating it. Google has incorporated various regulations to prevent malicious actors from exploiting these features and collecting private data. However, researchers at the University of Wisconsin showed that it is possible to circumvent protection measures and extract sensitive information using some plugins.
The big problem, explain those responsible for the study, is that the extensions can still review all the content of the Internet pages. Many have unrestricted access to a site’s Document Object Model (DOM) tree, the structure that defines how it is accessed and used. In this way, they can reach the text boxes where users type their passwords or credit card numbers.
They created a malicious extension and Chrome accepted it
To prove what they were saying, the group developed their own malicious extension and uploaded it to the Chrome Web Store for your review process. To disguise their plugin, they presented it as a GPT-based wizard that offered similar functionality to ChatGPT on the web. They requested permission to run on all pages. The extension passed the verification process on the Google Chrome web store without any problems, explains the report of the study.
The group of researchers found that over 1,000 of the most popular websites In the world, including some Google portals and Cloudflare, store passwords in plain text within the HTML source code of their pages. Others 7,300 sites are vulnerable to DOM access.
“Due to the coarse-grained permissions model of browsers, there is a lack of a security boundary between the plugin and the web page,” the report says. This lack of limit allows the plugin to freely interact and manipulate HTML elements. This allows direct extraction of user input.
After the experiment was done, they immediately removed the extension from the web store. They always kept it in “unpublished” mode so users couldn’t find and install it.
Thousands of dangerous applications
The University of Wisconsin group also downloaded all the extensions available on the Chrome Web Store. They analyzed the functionality and permissions that these plugins requested. In this way, they discovered that 12.5% of the total have the necessary permissions to exploit the vulnerabilities discovered.. There are about 17 thousand extensions, some as popular as AdBlockPlus and Honey, with more than 10 million users.
They also discovered that 190 extensions directly access password fields. This suggests that some developers are already trying to exploit the security hole.
If an attacker can access or manipulate fields such as text boxes, “they can steal private user information, impersonate the user, or commit financial fraud,” the report notes. They also warn that the exposure of this data could be harvested by scripts or automated bots that scan websites for vulnerabilities like these.