Researchers from the University of Wisconsin–Madison have discovered that malicious browser extensions can still make their way into the official Google Chrome app store, despite the introduction of the security and privacy standard known as Manifest V3. In a research paper posted online, the researchers shared their proof-of-concept browser extension that successfully passed the Chrome Web Store review process while being able to steal passwords and sensitive data.
Manifest V3, which is also supported by Microsoft Edge and Mozilla Firefox, aims to strike a balance between allowing browser extensions to have the necessary access to run effectively, while preventing malicious extensions from having the same access. The standard enhances security measures by prohibiting extensions from downloading code from remote websites and preventing changes in functionality once they are installed.
However, the researchers were able to build a data-stealing extension that bypassed the Chrome store’s review process by leveraging techniques from static and dynamic code injection attacks. They identified two vulnerabilities in input fields, including the discovery of passwords in plaintext within the HTML source code of web pages.
Despite the adoption of Manifest V3, the extension was still able to access the entire contents of web pages, including sensitive information entered by users such as passwords, social security numbers, and credit card details. The researchers disguised their extension as a GPT-based assistant offering ChatGPT-like functions, allowing it to plausibly request permissions to run on all websites.
The extension utilized three types of attacks: source extraction, value, and element substitution attacks. These attacks allowed the researchers to copy sensitive values from input fields, select target input fields and read their values, and bypass JavaScript-based obfuscation to extract sensitive data.
The researchers explained that the success of these attacks relies on the fact that browser extensions have full and unfettered access to the Document Object Model (DOM) of every webpage visited. The DOM represents a webpage in computer memory and can be accessed and modified, granting extensions the power to read and modify text input fields, including password fields. They found that most of the top 10,000 websites, including popular ones like google.com, facebook.com, and amazon.com, are vulnerable to these attacks.
According to the researchers, a significant number of extensions possess the necessary permissions to exploit these vulnerabilities, with 190 extensions directly accessing password fields. They highlighted the prevalence of these vulnerabilities across various websites, including high-traffic sites that expose sensitive user information in their HTML source code.
These findings shed light on the risks posed by malicious browser extensions not only to Google Chrome but to all browsers. Previous research has already shown that more than half of all browser extensions currently installed are high risk and have the potential to cause extensive damage to organizations.
To mitigate these risks, the researchers proposed countermeasures that can be implemented through add-on packages or built-in solutions within the browser itself. Website developers can adopt a proposed JavaScript package to protect sensitive input fields, while browsers can implement alerts when extensions access these fields to keep users informed.
The discovery made by the University of Wisconsin–Madison researchers underscores the ongoing battle to ensure the security of browser extensions and protect users from malicious attacks. While Manifest V3 aimed to enhance security measures, the ability of malicious extensions to still pass the Chrome Web Store review process highlights the need for continued vigilance and the development of further safeguards.