Password-stealing Chrome extension smuggled on to Web Store
Password-stealing Chrome extension smuggled on to Web Store
Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.
cross-posted from [email protected]
Original source: https://arxiv.org/pdf/2308.16321.pdf
- Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
- A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
- The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
- Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
- Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
You're viewing a single thread.
or, hear me out, use firefox instead
I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.
What exactly makes Firefox more resistant against malicious extensions?
Nothing really. The way add-ons interact with web pages is very similar.
Yeah. That's why I don't understand how using Firefox would be solution to this. The only solution is to not use extensions.
Firefox requires explicit user interaction to grant the
all_urlspermission, although this only applies to Manifest V3. Here's what it looks like on my extension:
I could've just reverted to Manifest V2 to avoid that step, but V3 will probably become mandatory someday.
Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.
On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.
Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.
IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.
I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.
Removes sunglasses My god! It's so crazy it might actually work!