Password-stealing Chrome extension smuggled on to Web Store
Password-stealing Chrome extension smuggled on to Web Store
www.malwarebytes.com Password-stealing Chrome extension smuggled on to Web Store
Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.
cross-posted from [email protected]
Original source: https://arxiv.org/pdf/2308.16321.pdf
- Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
- A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
- The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
- Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
- Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
10 comments
or, hear me out, use firefox instead
I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.
What exactly makes Firefox more resistant against malicious extensions?
Removes sunglasses My god! It's so crazy it might actually work!
10 comments