Exposing and Addressing Security Vulnerabilities in Browser Text Input Fields

TL;DR

This paper uncovers security vulnerabilities in web browser text input fields, demonstrating their prevalence and proposing countermeasures to protect sensitive user data from malicious extensions and attacks.

Contribution

It identifies specific vulnerabilities in browser input fields, demonstrates their real-world impact, and proposes practical solutions for immediate and browser-level security improvements.

Findings

Sensitive data like passwords are exposed in HTML source code on major websites.

12.5% of extensions can exploit these vulnerabilities.

190 extensions access password fields directly.

Abstract

In this work, we perform a comprehensive analysis of the security of text input fields in web browsers. We find that browsers' coarse-grained permission model violates two security design principles: least privilege and complete mediation. We further uncover two vulnerabilities in input fields, including the alarming discovery of passwords in plaintext within the HTML source code of the web page. To demonstrate the real-world impact of these vulnerabilities, we design a proof-of-concept extension, leveraging techniques from static and dynamic code injection attacks to bypass the web store review process. Our measurements and case studies reveal that these vulnerabilities are prevalent across various websites, with sensitive user information, such as passwords, exposed in the HTML source code of even high-traffic sites like Google and Cloudflare. We find that a significant percentage (12.5\%) of extensions possess the necessary permissions to exploit these vulnerabilities and identify 190 extensions that directly access password fields. Finally, we propose two countermeasures to address these risks: a bolt-on JavaScript package for immediate adoption by website developers allowing them to protect sensitive input fields, and a browser-level solution that alerts users when an extension accesses sensitive input fields. Our research highlights the urgent need for improved security measures to protect sensitive user information online.