this post was submitted on 06 Sep 2023
149 points (98.1% liked)

Technology

34172 readers
70 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
[email protected]
149
Password-stealing Chrome extension smuggled on to Web Store (www.malwarebytes.com)
submitted 11 months ago by [email protected] to c/[email protected]
10 comments fedilink hide all child comments
 

cross-posted from [email protected]

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 58 points 11 months ago (3 children)

or, hear me out, use firefox instead

[–] [email protected] 42 points 11 months ago

I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.

[–] [email protected] 18 points 11 months ago (2 children)

What exactly makes Firefox more resistant against malicious extensions?

[–] [email protected] 16 points 11 months ago (1 children)

Nothing really. The way add-ons interact with web pages is very similar.

[–] [email protected] 4 points 11 months ago

Yeah. That's why I don't understand how using Firefox would be solution to this. The only solution is to not use extensions.

[–] [email protected] 5 points 11 months ago (1 children)

Firefox requires explicit user interaction to grant the all_urls permission, although this only applies to Manifest V3. Here's what it looks like on my extension:

I could've just reverted to Manifest V2 to avoid that step, but V3 will probably become mandatory someday.

[–] [email protected] 1 points 11 months ago (1 children)

Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago) (1 children)

On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.

Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.

IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.

[–] [email protected] 1 points 11 months ago

I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.

[–] [email protected] 12 points 11 months ago

Removes sunglasses My god! It's so crazy it might actually work!