Your Browser's Extensions May Be Reading Your Passwords

We should all take common-sense steps to make sure our data stays safe and secure: use strong passwords with our accounts, and never reuse passwords; employ two-factor authentication on any account that offers it; and avoid clicking strange links in emails or text messages. But even when you follow all those rules, your personal data can still be at risk, strictly because the services you rely on aren't following these rules themselves.

Some websites are putting your passwords at risk

Researchers at the University of Wisconsin-Madison discovered that a concerning number of browser extensions can access sensitive information that you enter into websites. Think passwords, credit card info, and Social Security numbers.

The team behind the discovery says they weren't out looking to break a security story. Instead, they were "messing around with login pages," specifically Google login pages, when they found that the sites' HTML source code could see the passwords they entered in plain text. They turned their sights onto other websites—more than 7,000, reportedly—and found that about 15% of them were also storing sensitive information in plain text. That's over 1,000 websites exposing important data.

That, of course, is not supposed to happen: When you enter sensitive data into a website—say, your password into Google's login page—that site shouldn't see your password at all. In short, the sites confirm your passwords through hashing algorithms—essentially, jumbling your password into a code that can be checked against the code the site stores on their end. They can then confirm you entered the right password without ever exposing the actual text. By storing things like passwords and Social Security numbers in plain text, those sites are exposing that data to anyone in the know.

Importantly, that includes browser extensions. The researchers claim that 17,300 Chrome extensions—or 12.5% of the extensions available for download on Google's browser—have the permissions they need to view this sensitive plain text data. Think about the permissions you ignore when setting up a new extension, including permissions that give extensions full access to see and change what you enter on a webpage. Researchers didn't expose any extensions by name, as the situation is not necessarily the fault of the extensions, but considering the scope, it's possible some of the extensions you use can access sensitive information you enter in certain sites.

Again, legitimate extensions are not the priority: Instead, it's the risk that a developer will create an extension with the intent of scraping sensitive info stored in plain text. While the researchers claim there are no extensions actively abusing this vulnerability yet, this isn't a theoretical problem. Researchers created an extension from scratch that could pull this user data, uploaded it to the Chrome Web Store, and got it approved. They took it down immediately, but proved it's possible for a hacker to get such a malicious extension on the official store. Even if the hacker didn't make the extension, they could acquire a legitimate extension with an existing user base, adjust the code to take advantage of the vulnerability, and spring the updated extension on unsuspecting users. It happens all the time, and not just on Chrome.

How to protect your sensitive data from malicious browser extensions

Unfortunately, there's little you can do to prevent these sites from storing your passwords, credit cards, and Social Security numbers in plain text. The hope is, following these discoveries, websites will improve their security and kill the vulnerabilities on their end. But that's on them, not you.

There are some steps you can take to mitigate the damage, however. First, make sure to limit your use of browser extensions. The fewer extensions you use, the less likely it is you'll use a malicious one. Use only extensions you fully trust, and frequently check in on updates. If the extension changes hands to a new developer, vet that new owner before continuing to use it. You could even disable your extensions when sharing sensitive information with websites. If you need to provide your Social Security number on an official web form, for example, you could disable your extensions to prevent them from reading the data.

You can also limit the data you share that could stored in plain text. If given the option, use passkeys instead of passwords, as passkeys don't actually use any plain text data that hackers could steal. Similarly, use secure payment systems, such as Apple Pay or Google Pay, which don't actually share your credit card information with the website you're making a payment on. The name of the game is to avoiding typing out your sensitive details unless absolutely necessary—and then, reducing the parties who can see those details.

View the full article