A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website’s source code.
An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.
Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.
Source of the problem
The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on, which allows accessing potentially sensitive elements such as user input fields.
Given the lack of any security boundary between the extension and a site’s elements, the former has unrestricted access to data visible in the source code and may extract any of its contents.
Additionally, the extension may abuse the DOM API to directly extract the value of inputs as the user enters them, bypassing any obfuscation applied by the site to protect sensitive inputs, and stealing the value programmatically.
The Manifest V3 protocol that Google Chrome introduced, and adopted by most browsers this year, limits API abuse, prohibits extensions from fetching code hosted remotely that could help evade detection, and prevents the use of eval statements that lead to arbitrary code execution.
However, as the researchers explain, Manifest V3 does not introduce a security boundary between extensions and web pages, so the problem with content scripts remains.
On the face of it deploying a new and more granular permission system then getting the 100k+ already-existing extensions to comply with it sounds like an extraordinary measure, especially considering the traditionally neglected target demographic of people who installed something they shouldn’t have. But reading the list of features already introduced with Manifest V3 makes it sound like the infrastructure needed to introduce a mitigation here is mostly already in place, so maybe there is some cause for cautious optimism here (though Google’s official initial response, a variation on the classic “that’s not a security boundary”, doesn’t seem very promising).