Skip to Content

UW-Madison research proves your browser extension could grab your password and sensitive info

By Kathryn Merck

Click here for updates on this story

    MADISON, Wis. (WISC) — When you type in a password, you often see a series of asterisks on your screen. However, that series of symbols means so much more to your software and for your digital security.

Researchers at the University of Wisconsin–Madison found that some popular websites are vulnerable to browser extensions that can extract user data such as passwords, credit card information, and social security numbers from HTML code. A preprint of their work has already been published and has created conversation in the tech community.

The results were actually a surprise to the researchers originally, as they came across the findings by accident.

“We were just messing around with login pages, and in the HTML source code we could see the password in plain text,” says Asmit Nayak, a PhD student at UW-Madison. “We thought, ‘This is interesting. Why is this happening?”

The team includes Rishabh Khandelwal and Nayak, Ph.D. students who work with Kassem Fawaz, a UW–Madison associate professor of electrical and computer engineering.

The researchers found that a huge number of websites — about 15% of more than 7,000 they looked at — store sensitive information as plain text in their HTML source code. These are websites that many people use daily, like Google and Facebook.

While many security measures keep hackers from accessing this data, the team hypothesized that it might be possible to find it using a browser extension.

“Combining what we know about extensions and about websites, an extension can very easily access users’ passwords,” says Fawaz.

In a statement to the researchers, Google says that it is looking into the matter but does not consider this a security flaw, especially if permissions for the extensions are configured correctly.

However, the researchers believe these findings should concern people, as passwords aren’t as easily protected as some users may think.

“They need to find more control over sensitive information,” Khandelwal said, in reference to some of the bigger tech companies who store information this way.

Fawaz, however, is still concerned, and he hopes his research will convince websites to rethink the way they handle this sensitive information. His team proposes alerts to let users know when sensitive data is being accessed by browser extensions, as well as tools for developers to protect these data fields.

“It’s a dangerous thing,” Fawaz says. “This is something that people really need to know: Passwords aren’t always safe on browsers.”

Please note: This content carries a strict local market embargo. If you share the same market as the contributor of this article, you may not use it on any platform.

Article Topic Follows: CNN - Regional

Jump to comments ↓

CNN Newssource

BE PART OF THE CONVERSATION

KRDO NewsChannel 13 is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.

Skip to content