This Chrome extension can steal your passwords - and Google has no problem with it

News
By published

This ChatGPT Chrome extension is actually just a password stealer

Google Chrome
(Image credit: Shutterstock)
Jump to:

A malicious extension for Google Chrome has been developed that experts warn can steal passwords in plaintext format. 

Researchers from the University of Wisconsin-Madison recently uploaded a proof-of-concept to the Chrome Web Store to show users' passwords can be extracted from a website's source code.

In examining the text input fields of web browsers, the researchers found that Chrome has greater privileges than it should due to the coarse-grained permission model it uses. This allows extensions to retrieve the data from these fields.

Plain text stealing

To compound the problem, the researchers found that popular websites with visitors in the millions - including Gmail, Facebook, and Amazon, to name a few - store user passwords in plain text within the HTML code of their pages, making it possible for extensions to see what they are. 

The researchers said that extensions are routinely given unrestricted access to websites' DOM trees, which allows them to ascertain the content of text input fields and a page's source code, with no buffer in place between the extension and the website code to prevent this. 

The researcher's extension can also manipulate the DOM API to extract text from an input field on a website as the victim is typing, which bypasses any security attempts from the website to obfuscate sensitive text like passwords. 

Even though Google recently launched the Manifest V3 protocol for Chrome extensions, which is supposed to limit abuse to APIs, prevent arbitrary code execution and stop extensions from using remote code to avoid detection, the researchers claim that it does not offer protection between extensions and web pages, so content scripts are still vulnerable. 

In order to see if the extension would get through Google's review process, the researchers decided to upload their extension to the Chrome Web Store under the guide of a ChatGPT assistant. 

Since it does not contain malicious code or retrieve code from external sources, it is compliant with Manifest V3. Google therefore allowed it to be uploaded to its store. The researchers did not actually steal any user data, though. They also left the extension as unpublished and removed it from the store soon after it was approved.

The researchers claim that over a thousand of the world's most popular websites store user passwords in plain text within their HTML source code, and a further 7,300 sites are vulnerable to DOM API access, allowing for direct extraction of user inputs. 

They also said that roughly 17,300 (12.5%) Chrome extensions can extract this kind of sensitive information legitimately via permissions granted to them by Google. Many have millions of installs, and include popular ad blockers and shopping apps.

More from TechRadar Pro

TOPICS
Lewis Maddison
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Google Chrome extensions targeted by hackers to steal user passwords
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
Chrome 90 Browser for iOS
Google Chrome might soon use AI to make you a better password
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Nimo N172 laptop

This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event