Password theft is a growing threat in today’s digital world. A concerning new report reveals that Chrome extensions could be putting your passwords at risk – and Google may be unwittingly allowing it.
Researchers at the University of Wisconsin-Madison developed a proof-of-concept extension that can steal passwords in plain text. The culprit? Overly permissive access that lets extensions view sensitive user input. Although Google launched Manifest V3 to limit API abuse, it seems to provide no protection between extensions and websites.
This loophole allowed the researchers to create an AI chatbot extension approved by Google, despite its password scraping abilities. Of course, it was immediately removed without being published to users. Still, the implications are troubling.
The password vulnerability extends beyond rogue extensions too. Thousands of popular sites store passwords in plain text HTML, visible to any prying extension.
How Widespread Is the Password Risk?
The password security problem impacts thousands of sites and extensions:
- Over 1,000 popular sites store passwords in plaintext HTML.
- 7,300 sites are vulnerable to DOM API access, allowing password keystrokes to be extracted.
- 17,300 Chrome extensions, about 12.5%, can legitimately scrape passwords due to Google’s permissions. Even some popular ad blockers fall into this category.
How Can I Keep My Passwords Safe?
While the researchers disclosed the flaws to Google, here are some tips to boost your password security now:
- Use a password manager. Rely on a dedicated app like LastPass or 1Password to generate and store strong, unique passwords.
- Enable two-factor authentication (2FA). Add an extra layer of protection by requiring a code from your phone or an authenticator app when you log in.
- Watch for phishing attempts. Never enter your password if you suspect a site is fake. Double check the URL and look for “HTTPS” to verify security.
- Change passwords regularly. Update your passwords every 90 days or if you notice suspicious account activity. Unique passwords limits the damage from potential leaks.
Password theft may be on the rise, but with good habits, you can lock down your logins for safe browsing. Proper precautions will keep you secure as Google addresses potential Chrome weaknesses.
Frequently Asked Questions
What is the Chrome password security flaw?
Researchers found that Chrome extensions can steal plaintext passwords due to overly permissive access to sensitive user inputs like password fields.
Why does Google allow it?
It seems Google may have unintentionally enabled this access. The researchers got an AI chatbot extension approved despite its ability to scrape passwords.
How can extensions steal passwords?
Many sites store passwords in plaintext HTML. Chrome extensions can inject code that extracts text from password fields via the DOM API. Google’s Manifest V3 does not protect against this currently.
How many sites and extensions are affected?
Over 1,000 popular sites store passwords insecurely. About 17,300 Chrome extensions could potentially take advantage of the access to scrape passwords.
What can users do to protect passwords?
Use password managers, enable two-factor authentication, watch for phishing attempts, and change passwords regularly to lock down account security.