Skip Navigation

Password-stealing Chrome extension smuggled on to Web Store

www.malwarebytes.com Password-stealing Chrome extension smuggled on to Web Store

Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.

Password-stealing Chrome extension smuggled on to Web Store

cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
10

You're viewing a single thread.

10 comments
10 comments