Researchers at the University of Wisconsin-Madison have identified a potential security vulnerability in widely used websites, as reported in TechXplore.
They found that certain browser extensions could exploit HTML code, potentially extracting sensitive user data like passwords and credit card information. The study emphasizes the need for heightened data protection measures online.
This group, led by Ph.D. students Rishabh Khandelwal and Asmit Nayak under the guidance of Kassem Fawaz, an associate professor of electrical and computer engineering at UW-Madison, stumbled upon this issue while investigating Google login pages.
Browser Extension Exploits
The researchers identified that a substantial number of websites - approximately 15% of the 7,000 they examined-store sensitive information as plain text within their HTML source code. While numerous security measures prevent unauthorized access, the team theorized that a browser extension might be able to exploit this vulnerability.
It is worth noting that browser extensions are supplemental features that allow users to personalize their browsing experience, from ad-blocking to productivity enhancements.
Developers, including third parties, can introduce experimental functions through these extensions. The researchers found that a malicious extension, written in a common programming language, could potentially access users' login credentials, passwords, and other protected data.
Fawaz highlights that, although it's not currently happening, an extension could readily obtain users' passwords by leveraging our understanding of extensions and websites. The researchers note that there are currently no safeguards in place to prevent this.
In their survey of extensions for the Google Chrome browser, the team discovered that 17,300, or 12.5% of available extensions, possessed the necessary permissions to exploit this vulnerability. To test if such an extension could go unnoticed, they submitted their own extension to the Chrome Web Store.
Described as an AI assistant with ChatGPT-like features for websites, it was approved without incident. The researchers stress that they never released the extension publicly and promptly removed it after approval.
This demonstrated the potential for such an exploit to evade detection. The team emphasizes that no users were harmed during this process.
Read Also: Online Games' Dubious Data-Collecting Practices Revealed in New Study
Google's Response
Khandelwal suggests that a real hacker would likely take a different approach. "Somebody who's malicious does not need to start from scratch. They can get access to existing extensions, for instance, by buying one with lots of users and tweaking the code a little bit. They could maintain the functionality and get access to the passwords very easily," Fawaz said.
Fawaz believes that this potential vulnerability may not be an oversight; browser security might be configured this way to allow popular password manager extensions access to password information.
Google, in response to the researchers, has stated that they are investigating the matter and do not view it as a security flaw, particularly if extension permissions are appropriately configured.
Nonetheless, Fawaz remains concerned and hopes this research will prompt websites to reconsider how they manage sensitive information. His team recommends implementing alerts to notify users when sensitive data is accessed by browser extensions, along with tools for developers to safeguard these data fields.
"It's a dangerous thing," Fawaz said. "This is something that people really need to know: Passwords aren't always safe on browsers."
The findings of the study were published in arXiv.
Related Article: OpenAI's New 'Preparedness' Team Focuses on Countering 'Catastrophic' AI Risks, 'Human Extinction'
