Should we go beyond Chrome extensions? Researchers have found that they can steal plain-text passwords thanks to permissions granted by Google itself. But the giant does not seem in a hurry to react…
While extremely convenient, extensions are also a gateway for cybercriminals, as they need access to user data to function. But even if you are careful and only download them from official stores, the danger lurks, and it is not uncommon to find infected extensions in the Chrome Web Store. Researchers at the University of Wisconsin, Madison, USA, have found that the extension permissions system is too lax and allows cybercriminals to steal user IDs and passwords in plain text, directly in the source code, which Google allows despite itself. Thousands of Chrome extensions, available on the Google store, are able to steal this confidential information, while many popular sites save their users’ passwords in plain text, in the HTML code of their pages. A real computer security problem…
Chrome extensions: information accessible in plain text
The studyrelayed by Bleeping Computer, reveals that the way extensions work can allow a cybercriminal to extract sensitive information from an extension. To verify their theory, the researchers developed a fake one in ChatGPT assistant format, which did not contain any malicious code. Google therefore accepted it and then added it to its store. It was obviously immediately removed by the team so that no one downloads it.
But then, how could this decoy steal users’ passwords without resorting to malware? The researchers simply exploited what is called the DOM (Document Object Model) tree of websites, a programming interface that allows scripts to examine and modify web browser content in real time. Because of this, the extension gets unrestricted access to all sensitive data – including usernames and passwords – it contains by browsing the HTML code.
Google has yet implemented a security protocol, called Manifest V3, supposed to reduce abuse of APIs, in particular by making it impossible to access remote code. However, he does not introduce a security boundary between extensions and web pages ; content scripts therefore remain vulnerable.
Chrome extensions: a worrying security flaw
Many websites, including popular ones like Gmail, Amazon, Facebook, and Cloudflare, have the recklessness of storing plain text passwords, without any encryption, directly in the HTML code of their websites, researchers say. pages. Indeed, they “attacked” some 10,000 sites, and found that more than 1,000 of them actually stored them in their source code, while 7,300 sites were found to be vulnerable to an attack by data extraction.
Going further in their wandering, the experts realized that about 17,300 Chrome extensions, or 12.5% of the total of the official store, can legitimately extract this sensitive information via these permissions granted by Google. 190 of these extensions would already exploit the security flaw. So we can only hope that the tech giant quickly fixes this worrying flaw, but that doesn’t seem to be heading in the direction of it. Contacted by Bleeping Computer, the latter considers that there is no security flaw in the operation of the extensions, because these modules access the source code of the sites by having obtained the necessary authorizations. Move along, nothing to see !