Bleeping Computer is reporting this with these quotes from the article. NOT GOOD for Chrome users in any manner.

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.

Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.

The technical paper the researchers at the University of Wisconsin-Madison published earlier this week claims that approximately 17,300 extensions in the Chrome Web Store (12.5%) secure the required permissions to extract sensitive information from websites.

Notable website examples of lack of protections highlighted in the report include:

• gmail.com – plaintext passwords on HTML source code
• cloudflare.com – plaintext passwords on HTML source code
• facebook.com – user inputs can be extracted via the DOM API
• citibank.com – user inputs can be extracted via the DOM API
• irs.gov – SSNs are visible in plaintext form on the web page source code
• capitalone.com – SSNs are visible in plaintext form on the web page source code
• usenix.org – SSNs are visible in plaintext form on the web page source code
• amazon.com – credit card details (including security code) and ZIP code are visible in plaintext form on the page's source code

https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/

SA