Chrome extensions are a great way to add new features and functionality to your browser. However, it is important to be aware that some extensions can be malicious and try to steal your personal data, such as passwords.
In a recent study, researchers from the University of Wisconsin-Madison found that about 17.300 extensions in the Chrome Web Store (12,5%) have the required permissions to extract sensitive information from websites, including passwords.
This means that if you install one of these malicious extensions, it could steal your passwords from any website you visit.
The University of Wisconsin-Madison found that there are approximately 17.300 malicious Google Chrome extensions in the Chrome Web Store
The research publication cited several notable websites that lacked security protection:
- Gmail, where plain text passwords were visible in the HTML source code
- Cloudflare, where plain text passwords were also visible in the HTML source code
- Facebook, where user inputs could be extracted via the DOM API
- Citibank, where user inputs could also be exported via the DOM API
- The IRS, where Social Security Numbers (SSNs) were visible in plain text in the website's source code
- Capital One, where SSNs were also visible in plain text in the website's source code
- USENIX, where SSNs were also visible in plain text in the website's source code
- Amazon, where credit card information (including security code and zip code) was visible in plain text in the page's source code
The research he also says that these are just a few examples of websites that are vulnerable to security breaches. It is important for all website owners to take steps to protect their users' data, such as encrypting passwords and using a secure web application firewall (WAF).
How can Chrome extensions steal passwords?
One way is to use the "read all your data on all websites" permission. This permission allows the extension to read the contents of any web page, including password fields.
Another way Chrome extensions can steal passwords is by using the "access your data on all websites" permission. This permission allows the extension to read and change your browser's cookies. Cookies are often used to store passwords, so an extension with this permission could potentially steal your passwords from your cookies.
What you can do to protect yourself from malicious Chrome extensions:
Only install extensions from trusted sources, such as the Chrome Web Store.
Before installing an extension, read the permissions it requests. If an extension asks for “read all your data on all sites” or “access your data on all sites” permission, be very careful about installing it.
Keep your Chrome browser up to date. Google regularly releases security updates for Chrome, which can protect you from malicious extensions.
Use a password manager to save your passwords. A password manager encrypts your passwords and protects them from prying eyes.
