VTA-004461 – Chrome Browser Extension Pose Risk of Extracting Plain Text Passwords from Websites
Researchers from the University of Wisconsin-Madison have raised concerns about the security of Chrome extensions and the storage of plaintext passwords within website source code. They uploaded a proof-of-concept extension to the Chrome Web Store, demonstrating how extensions can steal plaintext passwords from website source code. Their investigation revealed that the current permission model for Chrome extensions lacks granularity, potentially violating the principles of least privilege and complete mediation. They found that numerous popular websites, including some Google and Cloudflare portals, store passwords in plaintext within their HTML source code, making them accessible to extensions. This issue arises from the practice of granting extensions unrestricted access to a site’s Document Object Model (DOM), allowing them to access sensitive elements like user input fields. Even though Manifest V3 protocol introduced by Google Chrome aims to limit API abuse, it doesn’t establish a security boundary between extensions and web pages, leaving this vulnerability unresolved. To test Google’s Web Store review process, the researchers successfully uploaded an extension capable of password-grabbing attacks, highlighting potential security shortcomings. The study indicates that a significant number of Chrome extensions possess permissions to extract sensitive information from websites, potentially putting user data at risk.
T1176 – Browser Extensions
Indicator or Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Keep Chrome extensions up to date by enabling automatic updates.
2. Download extensions only from the official Chrome Web Store or trusted sources.
3. Be cautious when enabling “Developer Mode” in Chrome to install extensions not from the Chrome Web Store.
4. If you encounter a suspicious or potentially malicious extension, report it to Google using the “Report abuse” feature in the Chrome Web Store.
5. Employ security software, including endpoint protection and anti-malware tools, to help detect and block malicious extensions.
6. Avoid autosave passwords on websites and use a password manager to generate and store strong, unique passwords for each website.
Contributed by: Edward