A group of University of Wisconsin researchers have found that the browser extensions webpage visitors encounter can identify user data, including Social Security numbers, login information and credit card details through HTML code, according to a post from UW News.
UW News said an early version of their findings, which were discovered when examining Google login webpages, has generated discussion about cybersecurity in tech circles.
The researchers found that 15% of the websites they examined, totaling around 7,000, include this information as plain text inside the source code, according to UW News. The team hypothesizes this information could be obtained through a browser add-on extension
UW Computer Science Ph.D. student Jack West said it is still uncertain what web browsers do with this information. It is up to the website what is done about the information, with the potential of it keeping track of it or even selling it.
Ph.D. student on the Online Privacy research team Rishabh Khandelwal said when browsers extract sensitive data, it can allow leaks of user passwords and other data to malicious actors. This could be bank information or personal emails, which are also connected to other places.
UW Computer, Data and Information Sciences professor Rick Wash said web browsers have access to user information when users consent to “cookies,” or data files that are collected for personalized experiences on websites. But, using web browser extensions from the Chrome, Microsoft and Apple stores is usually safe.
Cheese-making organism may become state microbe, researchers say
Wash’s work is focused on the human aspects of cybersecurity. His research focuses on how people decide whether something is trustworthy and how people make decisions on security implications in general, Wash said.
Khandelwal also said the more people who download extensions, the safer they are.
Extensions with more downloads and reviews are more trustworthy than those with few downloads or no reviews. Checking the reviews can help verify the integrity of an extension because other users can attest to their experience with it, according to Microsoft.
Ph.D. student Asmit Nayak, who is also part of the Online Privacy research team Asmit Nayak said, on the surface, these browser extensions do what they are intended to do, but it is possible that behind the scenes, other activities are conducted.
Microsoft also states that browser extensions are mostly safe to use, and they can even offer protection for users. But since the extensions run in the background of a browser, malicious software may have access to them and personal information like passwords and credit card numbers by association.
“Even if you are not doing anything wrong, someone can use sensitive data to get access to your identity,” Nayak said. “If someone has your Social Security number, they can do a lot of bad things with that.”
If someone were to install a malicious extension, it could read that data and then send it to its own servers, Nayak said.
Once a device is affected by a malicious extension, or malware, criminals can store and steal users’ personal information. This can make a device even more susceptible to more malware, according to the Federal Trade Commission.
Many websites, though, prevent extensions from accessing personal and sensitive data, according to Nayak, but agreeing to a webpage’s terms and conditions may provide access to this data.
Browser extensions can collect user data to sell to marketing agencies, which is legal if someone agrees to the privacy policy, which is why he recommends reading them. The browser extensions can collect behavioral data like what products a person is browsing, West said, and use that data to optimize how to advertise to a person.
“A big reason why the campus wanted to ban the app [Tik Tok] is because they were afraid that that data was being shared with parties they didn’t agree with … like logging credentials or API tokens, things of that nature, it could be bad,” West said.
But there is a lack of specific laws and regulations on what the browsers can access, Nayak said. Browsers can not differentiate whether they just have access to text boxes or passwords and email addresses as well.
“The problem is that browser exchange or the browser itself does not differentiate between access to any data and access to sensors,” Khandelwal said.
Basically, Khandewal said, once the extension gets access to one page, it can potentially get access to everything else.
UW professors weigh impacts of cannabis legalization on medicine, research
Though companies are usually very willing to implement change after being alerted of privacy issues because of public relations concerns, some do not agree these are severe issues. Nayak said Khandelwal and the rest of their research team reached out to a website company after they found a vulnerability in an extension that was able to extract and exfiltrate user data. The company did not view this as a severe issue, as long as the extension asked for necessary permissions.
Nayak said his team believes it’s a major security issue to allow passwords to be visible to the extensions.
Users oftentimes are unaware passwords are visible to extensions because they allow the extensions to run, Khandelwal said. The team hopes their work can cause awareness and a solution to the problem.
Breaches in cybersecurity could be particularly bad for university students because if someone signs into a person’s university account, the hackers could access their grades, course material or financial information, Wash said. Malicious actors may also target professors’ accounts and gain access to confidential student records, grades or intellectual property. But universities have security measures and verification apps for this reason such as Duo Mobile, West said.
