Thousands of Chrome extensions have the necessary permissions to extract sensitive information. A team of researchers from the University of Wisconsin-Madison in the United States says that 12.5% of Chrome Web Store plugins allow the collection of sensitive data. users, such as passwords or credit card numbers.
Extensions enhance the capabilities of web browsers by adding new features, changing the content of pages, or automating tasks to improve the user experience. Some, for example, manage access data, serve as productivity tools, or help block ads.
These extensions achieve their purpose by accessing and manipulating the content of websites. Google has implemented various policies to prevent malicious users from using these features and collecting personal information. However, researchers at the University of Wisconsin showed that you can bypass security measures and get confidential information using some plugins.
The big problem, explain those responsible for the study, is that extensions can still view all the content of Internet pages. Many have unrestricted access to the site’s Document Object Model (DOM) tree, the structure that defines how it is accessed and used. So they can reach text fields where users enter their passwords or credit card numbers.
They created a malicious extension and Chrome accepted it.
To prove their words, the group developed their own malicious extension and uploaded it to the Chrome Web Store. for the review process. To disguise their plugin, they presented it as a GPT-based wizard offering similar functionality to ChatGPT on the web. They requested permission to post on all pages. The extension passed the Google Chrome Web Store verification process without issue, the research report explains.
A group of researchers found that over 1000 most popular sites Around the world, including some Google and Cloudflare portals, passwords are stored in plain text in the HTML source code of their pages. Other 7300 sites vulnerable to DOM access.
“Due to the browsers’ coarse permission model, there is no security boundary between the plugin and the web page,” the report says. The lack of restrictions allows the plugin to interact and manipulate HTML elements freely. This allows you to directly retrieve user input.
After the experiment was completed, the extension was immediately removed from the online store. They always kept it in “unpublished” mode so that users couldn’t find it and install it.
Thousands of dangerous applications
The University of Wisconsin team has also downloaded all extensions available from the Chrome Web Store. They analyzed the functionality and permissions that these plugins requested. Thus, they found that 12.5% of the total had the necessary permissions to exploit the discovered vulnerabilities.. There are about 17 thousand extensions, some of which are as popular as AdBlockPlus and Honey. with over 10 million users.
They also found that 190 extensions directly access password fields. This suggests that some developers are already trying to exploit the security hole.
If an attacker can access or manipulate fields such as text fields, “they could steal a user’s personal information, impersonate a user, or commit financial fraud,” the report notes. They also warn that this data could be exposed by scripts or automated bots that scan websites for such vulnerabilities.
Source: Hiper Textual
I am Garth Carter and I work at Gadget Onus. I have specialized in writing for the Hot News section, focusing on topics that are trending and highly relevant to readers. My passion is to present news stories accurately, in an engaging manner that captures the attention of my audience.
