A team of researchers from the University of Wisconsin-Madison has found that Chrome extensions can steal plaintext passwords from websites. The researchers created a proof-of-concept extension that can extract passwords from the source code of websites.
The researchers say that the problem is caused by the way that Chrome extensions are granted access to websites. Extensions are given unrestricted access to the DOM tree of the websites they load on, which allows them to access potentially sensitive elements such as user input fields.
Additionally, the extension may abuse the DOM API to directly extract the value of inputs as the user enters them, bypassing any obfuscation applied by the site to protect sensitive inputs, and stealing the value programmatically.
The Manifest V3 protocol that Google Chrome introduced, and adopted by most browsers this year, limits API abuse, prohibits extensions from fetching code hosted remotely that could help evade detection, and prevents the use of eval statements that lead to arbitrary code execution.
However, as the researchers explain, Manifest V3 does not introduce a security boundary between extensions and web pages, so the problem with content scripts remains.
The researchers say that the problem could be fixed by giving extensions more granular permissions. For example, an extension could be granted permission to access only the user input fields that are relevant to its functionality.
