Protecting Your Sensitive Data

Fawaz found that some popular websites are vulnerable to browser extensions that can extract user data like passwords, credit card information, and social security numbers from HTML code. Bryce Richter

When you type a password or credit card number into a website, you expect that your sensitive data will be protected by a system designed to keep it secure.

That’s not always the case, according to a group of UW digital security researchers led by Kassem Fawaz, a UW–Madison associate professor of electrical and computer engineering. They found that some popular websites are vulnerable to browser extensions that can extract user data like passwords, credit card information, and social security numbers from HTML code.

Browser extensions are add-ons that allow users to customize their internet experience, for example by blocking ads or allowing one-click password storage.

The researchers found that a huge number of websites — about 15 percent of more than 7,000 they looked at — store sensitive information as plain text in their HTML source code. While many security measures keep hackers from accessing these data, the researchers hypothesized that it might be possible to find it using a browser extension. “It’s a dangerous thing,” Fawaz says.

He hopes his research will convince website administrators to rethink the way they handle this sensitive information. His team proposes alerts to let users know when sensitive data are being accessed by browser extensions, as well as tools for developers to protect these data fields.

Published in the Spring 2024 issue