A proof-of-concept extension that can extract plaintext passwords from a website’s source code has been released to the Chrome Web Store by a team of researchers from the University of Wisconsin-Madison.
The coarse-grained permission architecture supporting Chrome extensions breaches the concepts of least privilege and complete mediation, according to an analysis of text input fields in web browsers.
The researchers also discovered that a large number of popular websites, including certain Google and Cloudflare portals, save passwords in plaintext in the HTML source code of their web pages, making it possible for extensions to access them. These websites receive millions of visitors each month read more Chrome extensions can steal plaintext passwords from websites.
Stay informed with the best cybersecurity news and raise your cybersecurity awareness with our comprehensive coverage of the latest threats, breaches, and solutions.