Connect with us

Hi, what are you looking for?



Password-Stealing Chrome Extension Demonstrates New Vulnerabilities

Academic researchers design a Chrome extension to steal passwords from input fields and publish it to the Chrome webstore.

A group of academic researchers has built a proof-of-concept Chrome extension that can steal passwords from text input fields and published it to the Chrome webstore.

Posing as a GPT-based assistant to receive permissions to access all webpages, the extension was designed in line with Manifest V3 (MV3), the security and privacy standard that Chrome introduced in December 2020, and passed Google’s review process, being approved in the webstore.

However, the extension would leverage static and dynamic code injection techniques to exploit two newly identified vulnerabilities in text input fields and extract the user-supplied passwords from webpages.

The attack detailed by three researchers from University of Wisconsin – Madison in a research paper (PDF) relies on the fact that the extensions are essentially JavaScript applications that are loaded into the Document Object Model (DOM) tree of the page, which replicates the webpage as a tree structure.

Once loaded into the DOM tree, the lack of security boundaries allows the extension to leverage the DOM APIs to gain access to all DOM elements and extract the value of the input elements. and are two top websites impacted by this vulnerability.

Additionally, the academics discovered that the password is present in plain text in the source code of the HTML, namely in outerHTML of the password field.

The academics devised three attacks exploiting these vulnerabilities, to extract the passwords from the source code, to extract the value of the element’s outerHTML, and to bypass JavaScript-based obfuscation by replacing protected input elements with simple password fields.

Advertisement. Scroll to continue reading.

“We design our extension to include a benign code template that identifies an element with a given CSS selector. We dynamically retrieve the CSS selector string from a server which allows us to control the input fields at runtime. We do not require additional permission to communicate with the server and retrieve the CSS selector. We instead use the background page to fetch the string and pass it through messages to the content script,” the academics explain.

The academics say that their proof-of-concept extension was designed to only interact with their servers, that it did not collect information from the manual testers, and that it was immediately removed from the webstore after approval (it was kept in the ‘unpublish’ mode).

An analysis of the top 10,000 domains from the Tranco list revealed password fields on more than 7,000 websites, and the extension was able to extract passwords from all of them.

Looking into the existing Chrome extensions, the academics discovered that more than 17,000 of them (roughly 12.5% of the total) “have the necessary permissions to extract sensitive information on all web pages.” They also identified 190 extensions that can directly access password fields.

Although Firefox and Safari have adopted MV3 as well, they still allow MV2-based extensions, and the academics excluded them from their research.

To address the identified issues, the academics propose a JavaScript package to help developers protect sensitive input fields, as well as implementing new alerts to notify users when a JavaScript function accesses an input field.

According to the researchers, their experiment was successful because, once allowed to run on a page, an extension has unrestricted access to elements, an improper application of fundamental security principles.

Other issues, the academics say, include the fact that websites often rely on browsers to provide security protections, and that some websites leave sensitive input fields unprotected or apply minimal protections to them.

“We find that the lack of security boundary between the browser extension and the webpage results in novel vulnerabilities. Our case studies and large-scale measurements highlight the extent of these vulnerabilities, with alarming findings such as the exposure of passwords in plain text on over 1000 websites, including popular ones like Google and Cloudflare,” the academics conclude.

Related: Dozens of Malicious Extensions Found in Chrome Web Store

Related: 1.4 Million Users Install Chrome Extensions That Inject Code Into eCommerce Sites

Related: Google Patches Several Chrome Flaws That Can Be Exploited via Malicious Extensions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.