Chrome Extensions Can Steal Passwords from Website Source Code

Researchers from the University of Wisconsin–Madison have discovered that it is possible to upload Chrome extensions to the Chrome Web Store that can steal website passwords directly from the site’s source code. The issue, according to the researchers, stems from the practice of granting extensions unrestricted access to the DOM tree of the websites they load on. This allows extensions to access potentially sensitive elements, including user input fields.

Because there are no security boundaries between the extension and website elements, extensions have unlimited access to data in the source code and can extract any content from it. Additionally, extensions can abuse the DOM API to directly extract the value of input fields as the user types, bypassing any obfuscation a site may use to protect sensitive data.

The new Manifest V3, adopted by most browsers this year, limits API abuse, prohibits extensions from fetching remote code, and prevents the use of eval, which could lead to arbitrary code execution. However, experts note that Manifest V3 does not establish security boundaries between extensions and web pages, so the issue with content scripts remains.

Proof-of-Concept Malicious Extension

To prove their theory, the researchers created a special malicious proof-of-concept extension and attempted to upload it to the Chrome Web Store. The extension, which posed as a GPT assistant, was capable of:

• Capturing the original HTML code when a user tried to log in to a page using regular expressions;
• Abusing CSS selectors to target input fields and extract user-entered data using the .value function;
• Replacing elements to swap out obfuscated JavaScript-based fields for insecure password input fields.

Since the extension did not contain obviously malicious code, it successfully bypassed static analysis. It also did not fetch code from external sources, so it complied with Manifest V3 requirements. As a result, the extension passed review and was successfully published in the Chrome Web Store.

In their report, the experts emphasized that during their test, they excluded the collection of real user data by disabling the data collection server and leaving only the element targeting server active. The extension was also kept unpublished to avoid mass downloads and was promptly removed from the store after approval.

Widespread Vulnerabilities on Popular Websites

Subsequent analysis showed that out of the 10,000 most visited websites on the internet (according to Tranco), about 1,100 store user passwords as plain text using the HTML DOM. Another 7,300 sites were found to be vulnerable to DOM API access and direct extraction of user input.

Ultimately, the experts claim that about 17,300 extensions in the Chrome Web Store (12.5% of the total) have the necessary permissions to extract sensitive information from websites. Some of these, including popular ad blockers and shopping apps, have millions of installations.

Examples of Vulnerable Sites

The researchers listed the following as examples of sites lacking protection:

• gmail.com – passwords in plain text in the source HTML code;
• cloudflare.com – passwords in plain text in the source HTML code;
• facebook.com* – user data can be extracted via the DOM API;
• citibank.com – user data can be extracted via the DOM API;
• irs.gov – Social Security numbers are visible in plain text in the page source code;
• capitalone.com – Social Security numbers are visible in plain text in the page source code;
• usenix.org – Social Security numbers are visible in plain text in the page source code;
• amazon.com – bank card data (including CVV codes) and postal codes are displayed in plain text in the page source code.

Additionally, the analysis identified 190 extensions (some with over 100,000 downloads) that directly access password input fields and store the values in a variable, suggesting that some are already attempting to exploit this vulnerability.

Industry Response

Journalists from Bleeping Computer reached out to major tech companies to ask if they plan to address the risks described by the researchers. Amazon stated that “customer information entered on Amazon sites is secure” and advised browser and extension developers to “use advanced security practices to further protect customers.”

Google, in turn, responded that they are reviewing the issues raised by the researchers, but also referred to their extension security FAQ, which states that access to password input fields is not considered a security issue if the necessary permissions have been properly granted.