Google's Chrome Store review process foiled by Data-Stealer

Researchers at the University of Wisconsin-Madison found that despite Google's adoption of the Manifest V3 security standard to protect against malicious plugins, attackers can still bypass the review process and obtain malicious extensions. While Google has taken steps to prevent malicious extensions from entering the official Chrome app store, researchers have successfully made it through the Chrome Web Store review process with a proof-of-concept extension that steals sensitive data, including passwords. Despite the adoption of Manifest V3, extensions can still access all content on web pages, including sensitive data entry fields.

Vulnerabilities in the Chrome store review process

Researchers have discovered two vulnerabilities in the input fields of web pages. An alarming discovery was the presence of plaintext passwords in the HTML source code of the pages. Despite the adoption of Manifest V3, the interaction between extensions and web pages has not changed, allowing extensions to access website input fields and sensitive information entered by users such as passwords, social security numbers and information on the credit card. Extensions still have full access to the Document Object Model (DOM) of every web page you visit, allowing them to modify it on the fly.

Attacks exploited by attackers

Attackers leveraged static and dynamic code injection attack techniques to bypass Chrome's store review process. They carried out three types of attacks based on vulnerabilities still present in the interaction between websites and the browser. These attacks allowed them to copy the values of web page input fields, select target input fields to read their sensitive values, and bypass JavaScript-based obfuscation to extract sensitive information. Researchers have shown that the majority of the top 10,000 websites analyzed are vulnerable to these attacks.

Countermeasures proposed by researchers

Researchers have suggested two possible countermeasures to protect sensitive browser data. The first is a JavaScript package that website developers can adopt to protect sensitive input fields. This package would help prevent the extraction of sensitive values or the modification of input fields. The second proposed solution is a browser-level alert that would inform users when an extension accesses sensitive input fields. This way, users would be aware of potential vulnerabilities and could take necessary precautions. These countermeasures could help mitigate the risk of falling victim to malicious browser extensions.