University of Wisconsin-Madison researchers have discovered a potential security vulnerability in popular websites, according to a report from TechXplore. The researchers found that certain browser extensions could exploit HTML code, potentially extracting sensitive user data such as passwords and credit card information. This highlights the importance of improved data protection measures online.
The study was led by Ph.D. students Rishabh Khandelwal and Asmit Nayak, under the guidance of Kassem Fawaz, an associate professor of electrical and computer engineering at UW-Madison. The researchers came across this issue while investigating Google login pages.
The team identified that approximately 15% of the 7,000 websites they examined stored sensitive information in plain text within their HTML source code. While there are security measures in place to prevent unauthorized access, the researchers theorized that a browser extension could potentially exploit this vulnerability.
Browser extensions are additional features that allow users to customize their browsing experience, ranging from ad-blocking to productivity enhancements. Developers, including third parties, can introduce experimental functions through these extensions. The researchers discovered that a malicious extension written in a common programming language could potentially access users’ login credentials, passwords, and other protected data.
Fawaz emphasized that although this is not currently happening, an extension could easily obtain users’ passwords by leveraging our knowledge of extensions and websites. The researchers noted that there are currently no safeguards in place to prevent this.
In their investigation of extensions for the Google Chrome browser, the team found that 17,300, or 12.5% of available extensions, had the necessary permissions to exploit this vulnerability. To test the possibility of going unnoticed, they submitted their own extension to the Chrome Web Store. Described as an AI assistant with ChatGPT-like features for websites, it was approved without any issues. The researchers stress that they never released the extension publicly and promptly removed it after approval, demonstrating the potential for such an exploit to evade detection. They also confirm that no users were harmed during this process.
In response to the researchers’ findings, Khandelwal suggests that a real hacker would likely take a different approach. Fawaz believes that this potential vulnerability may not be an oversight; browser security settings might be configured this way to allow popular password manager extensions access to password information.
Google is currently investigating the matter and does not view it as a security flaw, especially if extension permissions are appropriately configured. However, Fawaz remains concerned and hopes this research will prompt websites to reconsider how they handle sensitive information. His team recommends implementing alerts to notify users when sensitive data is accessed by browser extensions, as well as providing tools for developers to protect these data fields.
The study’s findings were published in arXiv. Fawaz concludes by stating, “It’s a dangerous thing. This is something that people really need to know: Passwords aren’t always safe on browsers.”
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years. I have a wealth of knowledge to share with my readers, and my goal is to help them navigate the ever-changing world of cryptocurrencies.
