You might love adding those cool browser extensions for fun stuff or helpful tools, but they might be riskier than you think.
A team from the University of Wisconsin–Madison has just shown that some of these extensions can see your passwords!
Three smart people from the University of Wisconsin–Madison did. Rishabh Khandelwal, Asmit Nayak, and their teacher, Kassem Fawaz, found something strange while checking out Google login pages.
They could see passwords in the website’s hidden part, called the HTML source code. Thinking this was odd, they decided to look into it more.
These researchers learned that many websites, about 15% of 7,000 they checked, keep our private details like passwords, credit card numbers, and even social security numbers, out in the open in their hidden parts.
Even though there are locks and guards (called security measures) to keep bad people away, this team thought that maybe, just maybe, a browser extension could sneak in and see this information.
Now, what’s a browser extension? It’s like a little helper tool you can add to your internet browser to make things cooler or easier. Like those tools that block annoying ads or help you shop better. But not all of them are friendly.
The team checked extensions for the Google Chrome browser and found that many of them, about 12.5% of them, could potentially peek at our private details if they wanted to. And the scarier part?
The researchers made a pretend harmful extension and managed to get it approved on the Chrome Web Store! (Don’t worry, they removed it right after without harming anyone.)
Well, bad guys online might want to see and steal our passwords and other private details.
And here’s a sneaky trick: instead of making a new harmful extension, they can just buy a popular one that lots of people use, change it a little to make it naughty, and then, without anyone noticing, it’ll start stealing passwords.
Google, the company behind Chrome, says they’re checking this out. But they don’t think it’s a big mistake.
They believe if we set up our extensions right and carefully pick which ones to use, we should be safe.
The main researcher, Fawaz, does think we should be a bit careful. He suggests that there should be alarms to tell us if an extension is looking at our private stuff. He also says that websites should be smarter about where and how they keep our details.
So, the big lesson? Be careful and think twice before adding any new helper tools (extensions) to your browser. And always remember, sometimes our secrets aren’t as hidden as we think, especially on the internet!
Follow us on Twitter for more articles about this topic.
Source: University of Wisconsin-Madison.