A group of academic researchers has built a proof-of-concept Chrome extension that can steal passwords from text input fields and published it to the Chrome webstore.
Posing as a GPT-based assistant to receive permissions to access all webpages, the extension was designed in line with Manifest V3 (MV3), the security and privacy standard that Chrome introduced in December 2020, and passed Google’s review process, being approved in the webstore.
However, the extension would leverage static and dynamic code injection techniques to exploit two newly identified vulnerabilities in text input fields and extract the user-supplied passwords from webpages.
The attack detailed by three researchers from University of Wisconsin – Madison in a research paper (PDF) relies on the fact that the extensions are essentially JavaScript applications that are loaded into the Document Object Model (DOM) tree of the page, which replicates the webpage as a tree structure.
Once loaded into the DOM tree, the lack of security boundaries allows the extension to leverage the DOM APIs to gain access to all DOM elements and extract the value of the input elements. Google.com and Cloudflare.com are two top websites impacted by this vulnerability.
Additionally, the academics discovered that the password is present in plain text in the source code of the HTML, namely in outerHTML of the password field.
The academics devised three attacks exploiting these vulnerabilities, to extract the passwords from the source code, to extract the value of the element’s outerHTML, and to bypass JavaScript-based obfuscation by replacing protected input elements with simple password fields.
“We design our extension to include a benign code template that identifies an element with a given CSS selector. We dynamically retrieve the CSS selector string from a server which allows us to control the input fields at runtime. We do not require additional permission to communicate with the server and retrieve the CSS selector. We instead use the background page to fetch the string and pass it through messages to the content script,” the academics explain.
The academics say that their proof-of-concept extension was designed to only interact with their servers, that it did not collect information from the manual testers, and that it was immediately removed from the webstore after approval (it was kept in the ‘unpublish’ mode).
An analysis of the top 10,000 domains from the Tranco list revealed password fields on more than 7,000 websites, and the extension was able to extract passwords from all of them.
Looking into the existing Chrome extensions, the academics discovered that more than 17,000 of them (roughly 12.5% of the total) “have the necessary permissions to extract sensitive information on all web pages.” They also identified 190 extensions that can directly access password fields.
Although Firefox and Safari have adopted MV3 as well, they still allow MV2-based extensions, and the academics excluded them from their research.
To address the identified issues, the academics propose a JavaScript package to help developers protect sensitive input fields, as well as implementing new alerts to notify users when a JavaScript function accesses an input field.
According to the researchers, their experiment was successful because, once allowed to run on a page, an extension has unrestricted access to elements, an improper application of fundamental security principles.
Other issues, the academics say, include the fact that websites often rely on browsers to provide security protections, and that some websites leave sensitive input fields unprotected or apply minimal protections to them.
“We find that the lack of security boundary between the browser extension and the webpage results in novel vulnerabilities. Our case studies and large-scale measurements highlight the extent of these vulnerabilities, with alarming findings such as the exposure of passwords in plain text on over 1000 websites, including popular ones like Google and Cloudflare,” the academics conclude.
Related: Dozens of Malicious Extensions Found in Chrome Web Store
Related: 1.4 Million Users Install Chrome Extensions That Inject Code Into eCommerce Sites
Related: Google Patches Several Chrome Flaws That Can Be Exploited via Malicious Extensions