Cyber Society

In a recent development that has sent shockwaves through the cybersecurity community, researchers from the University of Wisconsin-Madison have uncovered a critical vulnerability that poses a significant threat to Chrome users. This alarming discovery revolves around a proof-of-concept extension that has the ability to extract plaintext passwords directly from a website's source code. In this blog post, we'll delve into the details of this unsettling revelation and its potential implications for online security.

The Threat Unveiled

The research team's findings have unearthed a glaring vulnerability within the Chrome Web Store. They have successfully created an extension with the alarming capability to steal passwords in plaintext directly from a website's source code. This discovery serves as a stark reminder of the critical issues that persist in the current security landscape.

Violation of Least Privilege Principle

The researchers have shed light on a fundamental problem concerning the permission model that underpins Chrome extensions. This model fails to adhere to the principles of least privilege and complete mediation, leaving extensions with unrestricted access to a website's Document Object Model (DOM) tree. This unrestricted access has the potential to compromise sensitive data and is a cause for concern.

Storing Passwords in Plain Text

Perhaps the most surprising aspect of this revelation is that numerous widely visited websites, including those operated by tech giants like Google and Cloudflare, store user passwords in plaintext within their HTML source code. This practice essentially hands over the keys to the kingdom to extensions capable of easily retrieving these passwords.

Source of the Problem

At the heart of the issue lies the unrestricted access that browser extensions enjoy to a website's DOM tree. This level of access allows extensions to extract data that is visible in the source code, all without the presence of any security boundaries.

Manifest V3: An Attempt to Address the Issue

To mitigate this problem, Google introduced the Manifest V3 protocol. However, this protocol falls short in establishing a concrete security boundary between extensions and web pages, leaving the underlying issue unresolved.

Uploading a Proof-of-Concept

To further test the integrity of Google's Web Store review process, the researchers developed an extension capable of executing password-grabbing attacks. Alarmingly, this extension successfully passed the review process, highlighting the inadequacies in the security checks in place.

The Wider Impact

The implications of this vulnerability are profound. Subsequent investigations have revealed that a significant number of websites store passwords in plaintext, leaving them vulnerable to these types of attacks. Moreover, a substantial number of extensions available in the Chrome Web Store possess the necessary permissions to extract sensitive information, putting millions of users at risk.

This revelation serves as a stark reminder of the critical importance of cybersecurity awareness, applicable to both technical and non-technical users. It emphasizes the need for vigilant security practices, not only from users but also from web developers and browser vendors. In the coming updates, we will explore how the industry addresses this pressing issue. In the meantime, exercise caution while browsing and using extensions, as your online security ultimately rests in your hands. Stay tuned for further developments in this evolving landscape.