Googles Souped-up Chrome Store Review Process Foiled by Data-Stealer

Researchers have discovered that despite Googles adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.

Malicious yet legitimate-looking
Google Chrome
browser extensions that steal peoples passwords and other sensitive data can still make it into the official app store, despite Googles adoption of a standard aimed at preventing this from happening.
Thats the word from researchers at the University of Wisconsin–Madison, who have created a proof-of-concept, data-stealing browser extension that successfully passed the Chrome Web Store review process despite its compliance with
Manifest V3
, Chromes latest security and privacy standard, they reported in
a research paper
posted online.
Google Chromes adoption of Manifest V3 — which Microsoft Edge and Mozilla Firefox also now support — is a balancing act between allowing browser extensions the access they need to run effectively, while protecting users by not giving
malicious extensions
the same access, Mark Stockley, a cybersecurity evangelist from Malwarebytes Labs, wrote
in a blog post
published this week.
The standard tightens up security in a number of ways, most notably by stopping extensions from downloading code from remote websites, he wrote. This, in turn, stops them from changing their functionality once theyre installed, allowing Google to understand what an extension does before allowing it to be posted on the Chrome store.
However, Googles adoption of Manifest V3 didnt stop researchers Asmit Nayak, Rishabh Khandelwal, and Kassem Fawaz from University of Wisconsin–Madison from building a browser extension that leveraged techniques from static and dynamic code injection attacks to bypass the Chrome stores review process.
Specifically, the researchers uncovered two vulnerabilities in input fields, one of which was the alarming discovery of passwords in plaintext within the HTML source code of the web page, they wrote in their paper.
The reason that their extension can still successfully steal data from browsers is because despite the adoption of Manifest V3, the interaction between the extensions and the web pages has not changed, they wrote.
The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security numbers, and credit-card information, according to the paper.
The researchers disguised their extension as a GPT-based assistant offering ChatGPT-like functions on websites, which allowed it to plausibly ask for permission to run on all websites, Stockley explained.
The extension — which was removed once it passed the review process — could run three attacks based on vulnerabilities that continue to exist in how websites and browsers interact: a source extraction attack, a value attack, and an element substitution attack.
The first attack allowed the researchers to copy the sensitive values of website input fields from the element’s outer HTML; the second allowed them to select the target input field and read the sensitive values; and the third allowed them to bypass JavaScript-based obfuscation to extract sensitive values.
The success of the browser attacks hinge on the fact that browser extensions have full and unfettered access to the
Document Object Model (DOM)
of every webpage that someone visits, Stockley explained. The DOM is a representation of a webpage in computer memory that can be accessed and changed, allowing the page to be modified on the fly.
Full access to a pages DOM gives extensions tremendous power, which includes reading or modifying text input fields, like the ones you type your passwords into, he wrote.
While the success of the researchers technique depends on the way the page is designed, most of the top 10,000 websites are vulnerable, including the likes of google.com, facebook.com, gmail.com, cloudflare.com, and amazon.com, among others, the researchers claimed.
Our measurements and case studies reveal that these vulnerabilities are prevalent across various websites, with sensitive user information, such as passwords, exposed in the HTML source code of even high-traffic sites, they wrote.
Moreover, some 12.5% of extensions possess the necessary permissions to exploit these vulnerabilities, they wrote, identifying 190 extensions that directly access password fields.
Its no secret how great a risk malicious browser extensions pose not just to Google Chrome — which has been fighting an uphill battle for years to
remove bad plug-ins
from its store — but to all browsers. Indeed,
recent research
found that more than half of all browser extensions currently installed are high risk and had the potential to cause extensive damage to organizations using them.
To counter the threats that their paper uncovered, the researchers shared countermeasures that can be implemented in the form of a bolt-on solution that would provide an add-on package to a browser, and a built-in solution developed directly in the browser itself.
The former is a proposed JavaScript package that website developers can adopt that allows them to protect sensitive input fields. The latter solution would be an alert at the browser level that lets users known when an extension accesses sensitive input fields, both when the sensitive input field is selected and when its value is read, the researchers wrote.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Googles Souped-up Chrome Store Review Process Foiled by Data-Stealer