Researchers show how Chrome extensions can steal plaintext passwords for popular sites such as Gmail, Cloudflare, Facebook, etc

Google Chrome logo with what looks like a red sunset and darkish bottom third, in the background

In case one thinks this is just for three or four websites, the research measurements showed that from the top 10k websites (as per Tranco), roughly 1,100 are storing user passwords in plain text form within the HTML DOM. Another 7,300 websites from the same set were deemed vulnerable to DOM API access and direct extraction of the user’s input value.

The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on, which allows accessing potentially sensitive elements such as user input fields. Given the lack of any security boundary between the extension and a site’s elements, the former has unrestricted access to data visible in the source code and may extract any of its contents.

It certainly needs a fix, and the vulnerability lies with a user installing an extension that deliberately exploits this weakness. So only using reputable extensions will help. But certainly, two other improvements are needed: The Manifest V3 protocol (that many Chromium-based browsers adopted, not just Chrome itself), should have some security boundary between the extensions and the web pages, and of course most importantly, websites should not be storing their passwords in the HTML DOM in plain text.

See https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/

Steve Gibson’s discussion at https://www.grc.com/sn/SN-938-Notes.pdf
Original Research Report and Remedies at https://arxiv.org/pdf/2308.16321.pdf