Password-stealing Chrome extension smuggled on to Web Store (www.malwarebytes.com)
from ijeff@lemdro.id to technology@lemmy.ml on 06 Sep 2023 08:21
https://lemdro.id/post/1179303

cross-posted from !google@lemdro.id

Original source: arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.

#technology

threaded - newest

CallMeM@lemmy.ml on 06 Sep 2023 08:29 collapse

or, hear me out, use firefox instead

Valthorn@feddit.nu on 06 Sep 2023 08:38 next collapse

Removes sunglasses My god! It’s so crazy it might actually work!

suction@lemmy.world on 06 Sep 2023 09:02 next collapse

What exactly makes Firefox more resistant against malicious extensions?

Norgur@kbin.social on 06 Sep 2023 09:12 next collapse

Nothing really. The way add-ons interact with web pages is very similar.

suction@lemmy.world on 06 Sep 2023 12:12 collapse

Yeah. That’s why I don’t understand how using Firefox would be solution to this. The only solution is to not use extensions.

p1mrx@sh.itjust.works on 06 Sep 2023 15:50 collapse

Firefox requires explicit user interaction to grant the all_urls permission, although this only applies to Manifest V3. Here’s what it looks like on my extension:

<img alt="" src="https://sh.itjust.works/pictrs/image/3e757428-ec0d-4fb2-8a8c-5873e0c5e772.webp">

I could’ve just reverted to Manifest V2 to avoid that step, but V3 will probably become mandatory someday.

chiisana@lemmy.chiisana.net on 06 Sep 2023 21:25 collapse

Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.

p1mrx@sh.itjust.works on 06 Sep 2023 21:38 collapse

On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.

Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.

IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.

chiisana@lemmy.chiisana.net on 06 Sep 2023 22:08 collapse

I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.

Floey@lemm.ee on 06 Sep 2023 09:17 collapse

I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.