bleepingcomputer[.]com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/
I'm suddenly glad, FWIW, the we use Opera with no extensions to access Amazon, banks etc.
A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.
Subsequent measurements showed that from the top 10k websites (as per Tranco), roughly 1,100 are storing user passwords in plain text form within the HTML DOM.Another 7,300 websites from the same set were deemed vulnerable to DOM API access and direct extraction of the user's input value.
The technical paper the researchers at the University of Wisconsin-Madison published earlier this week claims that approximately 17,300 extensions in the Chrome Web Store (12.5%) secure the required permissions to extract sensitive information from websites.Several of those, including widely used ad blockers and shopping apps, boast millions of installations.
Notable website examples of lack of protections highlighted in the report include:
gmail.com – plaintext passwords on HTML source code
cloudflare.com – plaintext passwords on HTML source code
facebook.com – user inputs can be extracted via the DOM API
citibank.com – user inputs can be extracted via the DOM API
irs.gov – SSNs are visible in plaintext form on the web page source code
capitalone.com – SSNs are visible in plaintext form on the web page source code
usenix.org – SSNs are visible in plaintext form on the web page source code
amazon.com – credit card details (including security code) and ZIP code are visible in plaintext form on the page's source code
Finally, the analysis showed that 190 extensions (some with over 100k downloads) directly access password fields and store values in a variable, suggesting that some publishers may already be trying to exploit the security gap.