Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Empower hackers by installing a new plugin.
Researchers from the University of Wisconsin at Madison have discovered a vulnerability in the Google Chrome extension store. An experimental extension developed by the team and successfully passed moderation can steal user passwords directly from the source code of web pages.
The root of the problem is the existing browser permissions model. It gives extensions access to the site's DOM tree and thus potentially sensitive information. For example, to input fields.
Researchers point out that the model contradicts the principles of “least privilege” and “full mediation,” according to which programs should have only the most necessary rights and every request for access to something must be checked.
Currently, the permissions architecture does not enforce strict security boundaries between the extension and web page elements. Nothing will prevent an attacker, for example, from “intercepting” data entered by the user in real time, bypassing any security mechanisms on the site’s part.
Just to test the moderation process, experts created a fake plugin that pretends to be a GPT-based assistant. This extension can:
The extension does not contain any obviously malicious code and complies with all the requirements of the Manifest V3 protocol. This allowed it to successfully pass verification before publication in the Chrome Web Store.
Scientists say that approximately 17,300 extensions in the Chrome Web Store have permission to access sensitive information. These include popular ad-blocking software and online shopping apps with millions of downloads.
The analysis showed that of the top 10,000 sites, approximately 1,100 store passwords in clear text within the structure of the web page. Another 7,300 sites were found to be vulnerable through access tools.
Experts especially highlight such large platforms as Gmail, Cloudflare and Facebook.
Google itself and Amazon, which is also at risk, have already commented on the situation. Amazon said that customer safety is most important to them and instructed developers to urgently take action. A Google spokesperson confirmed that the company is investigating the matter.
Researchers from the University of Wisconsin at Madison have discovered a vulnerability in the Google Chrome extension store. An experimental extension developed by the team and successfully passed moderation can steal user passwords directly from the source code of web pages.
The root of the problem is the existing browser permissions model. It gives extensions access to the site's DOM tree and thus potentially sensitive information. For example, to input fields.
Researchers point out that the model contradicts the principles of “least privilege” and “full mediation,” according to which programs should have only the most necessary rights and every request for access to something must be checked.
Currently, the permissions architecture does not enforce strict security boundaries between the extension and web page elements. Nothing will prevent an attacker, for example, from “intercepting” data entered by the user in real time, bypassing any security mechanisms on the site’s part.
Just to test the moderation process, experts created a fake plugin that pretends to be a GPT-based assistant. This extension can:
- Capture HTML source code when a user tries to log into a site.
- Use CSS selectors to select target input fields and extract information using the ".value" function.
- Substitute elements by converting protected password fields into vulnerable ones.
The extension does not contain any obviously malicious code and complies with all the requirements of the Manifest V3 protocol. This allowed it to successfully pass verification before publication in the Chrome Web Store.
Scientists say that approximately 17,300 extensions in the Chrome Web Store have permission to access sensitive information. These include popular ad-blocking software and online shopping apps with millions of downloads.
The analysis showed that of the top 10,000 sites, approximately 1,100 store passwords in clear text within the structure of the web page. Another 7,300 sites were found to be vulnerable through access tools.
Experts especially highlight such large platforms as Gmail, Cloudflare and Facebook.
Google itself and Amazon, which is also at risk, have already commented on the situation. Amazon said that customer safety is most important to them and instructed developers to urgently take action. A Google spokesperson confirmed that the company is investigating the matter.
