149
Password-stealing Chrome extension smuggled on to Web Store (www.malwarebytes.com)
submitted 1 year ago by ijeff@lemdro.id to c/technology@lemmy.ml
10 comments fedilink hide all child comments

cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
you are viewing a single comment's thread
view the rest of the comments
[-] CallMeM@lemmy.ml 58 points 1 year ago

or, hear me out, use firefox instead

[-] Floey@lemm.ee 42 points 1 year ago

I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.

[-] suction@lemmy.world 18 points 1 year ago

What exactly makes Firefox more resistant against malicious extensions?

[-] Norgur@kbin.social 16 points 1 year ago

Nothing really. The way add-ons interact with web pages is very similar.

[-] suction@lemmy.world 4 points 1 year ago

Yeah. That's why I don't understand how using Firefox would be solution to this. The only solution is to not use extensions.

[-] p1mrx@sh.itjust.works 5 points 1 year ago

Firefox requires explicit user interaction to grant the all_urls permission, although this only applies to Manifest V3. Here's what it looks like on my extension:

I could've just reverted to Manifest V2 to avoid that step, but V3 will probably become mandatory someday.

[-] chiisana@lemmy.chiisana.net 1 points 1 year ago

Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.

[-] p1mrx@sh.itjust.works 4 points 1 year ago* (last edited 1 year ago)

On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.

Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.

IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.

[-] chiisana@lemmy.chiisana.net 1 points 1 year ago

I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.

[-] Valthorn@feddit.nu 12 points 1 year ago

Removes sunglasses My god! It's so crazy it might actually work!

this post was submitted on 06 Sep 2023
149 points (97.5% liked)

Technology

34771 readers
101 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
MinutePhrase@lemmy.ml