Your passwords are on the scope of malicious Chrome extensions

Chrome extensions are a powerful way to add new features and functionality to your browser. However, it's important to be aware that not all extensions are created equal. Some extensions can be malicious and steal your personal data, including your passwords.

In a recent study, researchers from the University of Wisconsin-Madison found that approximately 17,300 extensions in the Chrome Web Store (12.5%) have the required permissions to extract sensitive information from websites, including passwords.

This means that if you install one of these malicious extensions, it could potentially steal your passwords from any website you visit.

The report highlighted several notable websites that were lacking in security protections. These websites included:

• Gmail, where plaintext passwords were visible in the HTML source code
• Cloudflare, where plaintext passwords were also visible in the HTML source code
• Facebook, where user inputs could be extracted via the DOM API
• Citibank, where user inputs could also be extracted via the DOM API
• The IRS, where Social Security numbers (SSNs) were visible in plaintext form on the web page source code
• Capital One, where SSNs were also visible in plaintext form on the web page source code
• USENIX, where SSNs were also visible in plaintext form on the web page source code
• Amazon, where credit card details (including the security code and ZIP code) were visible in plaintext form on the page's source code

The report also noted that these are just a few examples of websites that may be vulnerable to security breaches. It is important for all website owners to take steps to protect their users' data, such as encrypting passwords and using a secure web application firewall (WAF).

How can Chrome extensions steal passwords?

There are a few ways that Chrome extensions can steal passwords. One way is by using the "read all your data on all websites" permission. This permission allows the extension to read the contents of any web page, including the password fields.

Another way that Chrome extensions can steal passwords is by using the "access your data on all websites" permission. This permission allows the extension to read and change your browser's cookies. Cookies are often used to store passwords, so an extension with this permission could potentially steal your passwords from your cookies.

How to protect yourself from malicious Chrome extensions

There are a few things you can do to protect yourself from malicious Chrome extensions:

Only install extensions from trusted sources, such as the Chrome Web Store.

Before installing an extension, read the permissions that it requests. If an extension requests the "read all your data on all websites" or "access your data on all websites" permission, be very careful about installing it.

Keep your Chrome browser up to date. Google regularly releases security updates for Chrome, which can help to protect you from malicious extensions.

Use a password manager, such as Proton pass, to store your passwords. A password manager will encrypt your passwords and keep them safe from prying eyes.

Advertisement