This Chrome extension can steal your passwords - and Google has no problem with it

This ChatGPT Chrome extension is actually just a password stealer

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A malicious extension forGoogleChrome has been developed that experts warn can steal passwords in plaintext format.

Researchers from the University of Wisconsin-Madison recently uploaded a proof-of-concept to the Chrome Web Store to show users' passwords can be extracted from a website’s source code.

In examining the text input fields ofweb browsers, the researchers found that Chrome has greater privileges than it should due to the coarse-grained permission model it uses. This allows extensions to retrieve the data from these fields.

Plain text stealing

To compound the problem, the researchers found that popular websites with visitors in the millions - including Gmail, Facebook, andAmazon, to name a few - store user passwords in plain text within the HTML code of their pages, making it possible for extensions to see what they are.

The researchers said that extensions are routinely given unrestricted access to websites' DOM trees, which allows them to ascertain the content of text input fields and a page’s source code, with no buffer in place between the extension and the website code to prevent this.

The researcher’s extension can also manipulate the DOM API to extract text from an input field on a website as the victim is typing, which bypasses any security attempts from the website to obfuscate sensitive text like passwords.

Even though Google recently launched the Manifest V3 protocol for Chrome extensions, which is supposed to limit abuse to APIs, prevent arbitrary code execution and stop extensions from using remote code to avoid detection, the researchers claim that it does not offer protection between extensions and web pages, so content scripts are still vulnerable.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In order to see if the extension would get through Google’s review process, the researchers decided to upload their extension to the Chrome Web Store under the guide of aChatGPTassistant.

Since it does not contain malicious code or retrieve code from external sources, it is compliant with Manifest V3. Google therefore allowed it to be uploaded to its store. The researchers did not actually steal any user data, though. They also left the extension as unpublished and removed it from the store soon after it was approved.

The researchers claim that over a thousand of the world’s most popular websites store user passwords in plain text within their HTML source code, and a further 7,300 sites are vulnerable to DOM API access, allowing for direct extraction of user inputs.

They also said that roughly 17,300 (12.5%) Chrome extensions can extract this kind of sensitive information legitimately via permissions granted to them by Google. Many have millions of installs, and include popular ad blockers and shopping apps.

More from TechRadar Pro

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time