This post is also available in: heעברית (Hebrew)

A group of digital security researchers at the University of Wisconsin–Madison discovered that contrary to popular belief, our data is not always protected when we type our password or credit card number into a website. Some popular websites are vulnerable to browser extensions that can extract user data like passwords, credit card information, and social security numbers from HTML code.

According to Techxplore, the researchers discovered the issue while investigating Google login webpages, stating that they could see the password in plain text in the HTML source code, which made them want to investigate further. They discovered that a huge number of websites store sensitive information as plain text in their HTML source code, and while many security measures keep hackers from accessing this data, the team said it might be possible to access it using a browser extension.

The researchers found that a malicious extension could use code written in a common programming language to grab users’ login information, passwords, and other protected data. The team surveyed the extensions available for Google Chrome and found that 17,300 (12.5%) of the available browser extensions had permissions that could exploit this vulnerability.

To see whether it was feasible for a malicious extension to make it to the public, the team developed their own extension and submitted it to the Chrome Web Store, describing it as an AI assistant offering ChatGPT-like functions on websites, and the store approved the extension.

One of the researchers, Rishabh Khandelwal, says that the average hacker would most likely not create something from scratch, but rather gain access to existing extensions by buying one with lots of users and tweaking the code, thus maintaining functionality and getting access to information.

Surprisingly, it seems that this vulnerability is actually not an oversight, but rather browser security is configured this way to let popular password manager extensions access password information. Google even responded to the researchers and stated it is looking into the matter but does not consider this a security flaw, especially if permissions for the extensions are configured correctly.

Kassem Fawaz, professor of electrical and computer engineering and leader of the research, stated that he is still concerned, and hopes his research will convince websites to rethink the way they handle this sensitive information.