It all started almost by chance. Researchers from the University of Wisconsin-Madison in the United States have fun on login pages when, in the HTML source code, they manage to see the password in clear text.
They wonder why this happened and make a stunning discovery: in some cases, popular websites are vulnerable to browser extensions that can extract data such as passwords or banking information.
“This is a dangerous thing”
In detail, the authors of this study found that 15% of the 7,000 sites they examined stored sensitive information in plain text on their HTML source code. Theoretically security measures are there to prevent malicious actors from gaining possession. Except that they can be bypassed using a browser extension, scientists say.
Thus, researchers were able to see that a malicious extension is capable of using code written in a programming language to recover this sensitive data. Focusing on Google Chrome, they estimate that 17,300 of them, or 12.5% of the total, have the necessary permissions to do so.
To find out, scientists even created their own malicious extension which was accepted on the Chrome Web Store. The idea being to demonstrate that this maneuver was quite simple to carry out. Subsequently, they did not distribute this tool and quickly deleted it.
Quoted by Techxplore, Kassem Fawaz, one of the researchers involved in this research, wishes to alert: “It’s a dangerous thing. This is something people really need to know: Passwords aren't always secure in browsers..
For its part, Google has addressed directly to the authors. The Tech giant explains that it is studying the issue, but does not consider it to be a security flaw, especially if the authorizations for the extensions are correctly configured, our colleagues report.
< p>As a reminder, last July, researchers from the company Kaspersky spotted a malicious payload on 34 extensions of the Google Chrome browser. Downloaded more than 87 million times, these can cause very problematic damage to the computers concerned.
They are notably able to take screenshots, activate the microphone or camera on your PC, and even bombard you with advertisements. Following this alert, Google quickly deleted these applications. You can find more details on this case in our article here.