Your Browser Extensions May Be Reading Your Passwords.
We should all take reasonable steps to keep our data secure: use strong passwords for your accounts and never reuse the same passwords; use two-factor authentication for any account that offers it; and avoid clicking suspicious links in emails or text messages. But even if you follow all these rules, your personal data may still be at risk simply because the services you use don’t adhere to them.
Some websites put your passwords at risk.
Researchers from the University of Wisconsin-Madison have discovered that an alarmingly large number of browser extensions can access sensitive information you enter on websites, including passwords, credit card information, and Social Security numbers.
The team that discovered the vulnerability claims their goal wasn’t to uncover any security-related story. Instead, they “experimented with login pages”—specifically, Google’s—and discovered that the websites’ HTML source code could reveal passwords entered in cleartext. They then turned their attention to other websites—reportedly over 7,000—and discovered that about 15% of them also stored sensitive information in cleartext. That’s over 1,000 websites revealing sensitive data.
Of course, this shouldn’t happen: when you enter sensitive data on a website—for example, your password on a Google sign-in page—that site shouldn’t see your password at all. In short, websites verify your passwords using hashing algorithms—essentially converting your password into a code that can be verified against the code stored on their end. They can then confirm that you entered the correct password without revealing the text itself. By storing data like passwords and Social Security numbers in plaintext, these sites expose that data to anyone with knowledge of it.
It’s important to note that this includes browser extensions. Researchers claim that 17,300 Chrome extensions—or 12.5% of all extensions available for download on Google’s browser—have the necessary permissions to view this sensitive data in plaintext. Consider the permissions you ignore when setting up a new extension, including permissions that grant extensions full access to view and modify what you type on a webpage. The researchers didn’t name specific extensions, as the situation isn’t necessarily the fault of the extensions themselves, but given the scale of the problem, it’s possible that some of the extensions you use could access sensitive information you enter on certain websites.
Again, the priority isn’t legitimate extensions: instead, there’s the risk that a developer will create an extension with the intent of collecting sensitive information stored in plaintext. While researchers claim there are no extensions actively exploiting this vulnerability yet, it’s not a theoretical concern. The researchers created an extension from scratch capable of obtaining this user data, uploaded it to the Chrome Web Store, and received approval. They immediately removed it, but demonstrated that it’s possible for a hacker to publish such a malicious extension to the official store. Even if the hacker didn’t create the extension, they could gain access to a legitimate extension with an existing user base, modify the code to exploit the vulnerability, and suddenly install the updated extension on unsuspecting users. This happens all the time , and not just in Chrome.
How to protect your privacy from malicious browser extensions
Unfortunately, there’s little you can do to prevent these sites from storing your passwords, credit card numbers, and Social Security numbers in plaintext. Hopefully, after these revelations, websites will improve their security and fix the vulnerabilities on their end. But that’s their problem, not yours.
However, there are several steps you can take to minimize the damage. First, be sure to limit your use of browser extensions. The fewer extensions you use, the less likely you are to use a malicious one. Use only extensions you completely trust, and check for updates regularly. If an extension has a new developer, verify the new owner before continuing to use it. You can even disable your extensions when sharing sensitive information with websites. For example, if you need to provide your Social Security number on an official web form, you can disable your extensions to prevent them from reading that data.
You can also limit the amount of data you transmit and that can be stored in cleartext. If possible, use passwords instead of passphrases , as passwords don’t actually contain any cleartext data that hackers could steal. Similarly, use secure payment systems like Apple Pay or Google Pay, which don’t actually transmit your credit card information to the website you’re making the payment on. The key is to avoid entering sensitive information unless absolutely necessary, thereby limiting who can see it.