The vulnerability has since been patched

A Chrome extension can be exploited to expose users’ private information and view their emails, a security researcher has said.

Eight million users could have had personal details compromised after they downloaded the Read&Write Chrome extension version 1.8.0.139.

The add-on, which was designed to improve spelling and grammar across documents and web pages, allowed attackers to steal users’ emails and view sites through the victim’s login details.

This occurs through the extension’s use of inject.js – content script made for adding JavaScript code to online documents, which is automatically linked to all websites when implemented.

The script allowed malicious websites to interact with the extension, asking it to provide confidential information such as a user’s email inbox, or bank account details.

“In order to be more flexible with the Chrome extension API usage, many extensions will build a bridge to allow calling the background page from the regular web context,” said Matt Bryant, a security researcher who first discovered the issue.

Writing about his findings on The Hacker Blog, Bryant said: “Many Chrome extension developers forget to validate the origin of messages in order to prevent arbitrary sites from calling potentially sensitive functionality.

“In this case, the ideal action would likely be to move most of the logic into the content script to be called not by postMessage but instead by event listeners triggered with the isTrusted property validated. This way it can be ensured that all calls are triggered by user actions instead of forged by an attacker.”

The vulnerability was reported last Friday to extension developer Texthelp. The company released a patch on Monday.

Users should be aware that installing extensions can increase their susceptibility to attack when browsing the web, as extensions are granted privileged access to their browser.

According to posts on Twitter, Bryant is developing a tool to make reviewing the security of Chrome extensions easier.

The Daily Swig has previously covered Bryant’s work, including his discovery of a bug on Signal Desktop.