Beware: Researchers Sound Alarm on Privacy-Invasive Chrome Extensions

Researchers Issue Warning over Chrome Extensions that Access Private Data

Introduction

Researchers at the University of Wisconsin-Madison (UW-M) have discovered that Google Chrome browser extensions pose a significant threat to users’ private data. These extensions can easily tap into sensitive information such as social security numbers, passwords, and banking details. The researchers also found vulnerabilities in the way passwords are stored on the websites of major corporations, including Google, Amazon, Citibank, Capital One, and the Internal Revenue Service.

The Problem

The issue lies in the way extensions access the internal web page code. Although Google has introduced protective measures this year, there is still no protective layer between web pages and browser extensions. As a result, hackers can exploit these vulnerabilities and gain access to users’ private data.

Accessing Sensitive Data

Asmit Nayak, a computer science graduate student at UW-M, explained that without sufficient protective measures, sensitive data such as social security numbers and credit card information are immediately accessible to all extensions running on a page. This presents a significant security risk as private data is left vulnerable.

Plain Text Passwords

The researchers made an alarming discovery during their investigation. They found that a significant percentage of extensions have the necessary permissions to access password fields. Furthermore, they identified 190 extensions that directly access password fields. This raises concerns about the storage of passwords on HTML web page source files, where they are stored in plain text format.

Exploiting Extension Weakness

To test their suspicions, the researchers developed an extension that could exploit these weaknesses and steal plain-text passwords from HTML pages. Despite containing no malicious code, the extension passed security screening at Google’s Chrome Web Store. This highlights the urgent need for more robust security measures.

Proposed Solutions

In response to their findings, the researchers proposed two solutions to address the problem:

JavaScript Add-on

One solution is the implementation of a JavaScript add-on for all extensions that provides solid protection for sensitive input fields. This would add an extra layer of security to ensure that private data cannot be accessed by unauthorized extensions.

Browser Alert Feature

The second proposal is to add a browser feature that alerts users when an attempt is made to access sensitive data. This would provide users with real-time notifications and give them the opportunity to deny access to their private information.

Implications for Major Websites

The researchers also raised concerns about major websites, specifically Google and Amazon, which do not implement any protections for credit card input fields. This means that credit card details, including the security code and zip code, are visible in plain text on the webpage. This poses a significant security risk, as any malicious extension could potentially access and steal this sensitive information.

Response from Amazon and Google

In response to the report, an Amazon spokesperson encouraged browser and extension developers to use security best practices to further protect their customers. A spokesperson from Google stated that they are currently investigating the matter.

Conclusion

The vulnerabilities discovered by the researchers at UW-M highlight the ongoing concerns surrounding the security of users’ private data when using browser extensions. It is crucial for both browser developers and extension developers to prioritize the implementation of robust security measures to protect users from potential intrusions. Additionally, users should be cautious when installing extensions from unknown sources and regularly update their browsers to ensure they have the latest security protocols in place.