Chrome Secrets / Extention Secrets.
Chrome Secrets / Extention Secrets. In Chrome Extensions Secret Quest for Password Treasures. In a recent study, scientists from the University of Wisconsin-Madison have uncovered an issue that is troubling with Chrome extensions. Even though these little browser extensions seem innocent, they may be hiding a darker side: the capability to steal plaintext passwords from websites. Additionally, Chrome Secrets / Extention Secrets, the vast permissions granted to Chrome extensions are the source of the problem. Consequently, they can gain access to private areas like input fields because of their access to the web page’s Document Object Model (DOM) tree. In essence, no security protection gives these extensions unlimited access to the source code and the capability to steal any important information they find.”
Security to Chrome Secrets / Extention Secrets.
It’s possible to wonder whether Manifest V3, a recent update designed to enhance security for extensions, has solved these problems. Although it introduced some security measures, it has not entirely stopped extensions from accessing websites. Additionally, the issue with content scripts isn’t addressed, which allows extensions to continue with their illicit activities.
Researchers created a Chrome extension as a proof of concept to assess the effectiveness of Google’s Web Store approval procedure. If users tried to log in, the apparently harmless extension appeared to help steal the HTML source code. More impressively, it selectively selected input fields for the target and secretly extracted inputs from users using CSS selectors.
Extension passed through Google’s Web Store
Surprisingly, the extension passed through Google’s Web Store review and was approved without issues. Despite its potential for malicious capabilities, it could get around static detection. Furthermore, it didn’t download codes from other sources, making the extension Manifest V3-compliant.
Researchers adhered to ethical guidelines, ensuring the accuracy of data gathered or misused. Additionally, when they shut down the data-receiving server, they kept the server for element-targeting operating. Once it had completed its research objectives, the extension was then promptly removed from the store. Furthermore, it was kept at the “unpublished” condition to prevent it from receiving many downloads.
An even more thorough analysis showed that around 17,300 extensions on the Chrome Web Store (equivalent to 12.5 percent of all extensions) have the permissions needed to access sensitive data from websites. Notably, some of these extensions, such as widely used ads blockers and shopping apps, have millions of downloads.
In addition, in the top ten thousand websites, researchers discovered around 1,100 sites that stored users’ passwords in plaintext inside the HTML DOM. Furthermore, 7300 additional websites were found to have DOM API-accessible vulnerabilities, which allow extensions to gather data from users’ input.
The problem becomes even more worrying when you look at the most popular websites. For instance, websites like Gmail, Cloudflare, Facebook, Citibank, IRS, Capital One, USenix, and Amazon are vulnerable. These websites range from plaintext passwords to obvious Social Security Numbers (SSNs) and credit card information in the code source of the page.
Although this situation’s seriousness is apparent, it’s not clear how the browser and business owners will deal with these issues. Moreover, Amazon has stressed its commitment to security for clients, and Google is currently investigating the issue. As we explore this fascinating and tense world, we must ask: Are Chrome extensions our defenders or silent thieves in online security?