Technology

37362 readers

219 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]

Password-stealing Chrome extension smuggled on to Web Store (www.malwarebytes.com)

submitted 10 months ago by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

cross-posted from [email protected]

Original source: https://arxiv.org/pdf/2308.16321.pdf

Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.

A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.

The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.

Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.

Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 3 points 10 months ago (1 children)

I wonder if a password manager that fills in for you would count. I’m guessing yes, thst it’s different than a key logger?