Well, yeah, of course they can. They can read the entire DOM, including the value of password fields. Were you expecting otherwise?
Great!
There’s a bit of crying wolf here, as the problem is that extensions can access input fields that may be password fields (actual problem with extension access rights), and secondarily the researchers found sites storing passwords in plaintext in the page source (nothing to do with extensions having too much rights and everything to do with those sites being garbage).
Anyway, didn’t Chrome change how their extensions worked around a year ago to make them more secure and limit their access?
Thought it caused problems for ad-blockers. Guess it really was all about kicking adblockers and not a single bit about security for users.
That’s like 20 years old news.