"Rogue Chrome Extensions Can Steal Passwords From Websites Such as Gmail, Amazon & Facebook"
University of Wisconsin-Madison researchers have developed a Proof-of-Concept (PoC) Chrome extension that can steal plaintext passwords from the HTML source code of nearly any website. In a recently published paper, the researchers detailed how a comprehensive analysis of the security of text input fields in web browsers revealed that their coarse-grained permission model violates two security design principles: least privilege and complete mediation. The researchers also identified two input field vulnerabilities, including plaintext passwords in the HTML source code of popular websites such as gmail[.]com. Cloudflare, Facebook, Amazon, Citibank, and Capital One are just a few other major websites that store plaintext passwords in their HTML source code. About 12.5 percent of the extensions on the Chrome web store have the necessary permissions to exploit these vulnerabilities, including some of the most widely used ad blockers and shopping add-ons. This article continues to discuss the researchers' key findings regarding security vulnerabilities in browser text input fields.