this post was submitted on 09 Sep 2023
22 points (95.8% liked)

Linux and Tech News

979 readers
4 users here now

This is where all the News about Linux and Linux adjacent things goes. We'll use some of the articles here for the show! You can watch or listen at:

You can also get involved at our forum here on Lemmy:

Or just get the most recent episode of the show here:

founded 1 year ago
MODERATORS
leo@lemmy.linuxuserspace.show
22
Chrome extensions can steal plaintext passwords from websites (www.bleepingcomputer.com)
submitted 1 year ago by leo@lemmy.linuxuserspace.show to c/news@lemmy.linuxuserspace.show
5 comments fedilink hide all child comments
top 5 comments
sorted by: hot top controversial new old
[–] Buffalobuffalo@reddthat.com 5 points 1 year ago (2 children)

Isn’t this exactly how LastPass and other password managers work? I did not read most of article because it looked complicated.  but is this new information?

[–] webghost0101@sopuli.xyz 4 points 1 year ago

I feel like if something like this isnt new information and is not fixed in 48 hours it needs repeating.

But i didnt read the article either and also dont use chrome.

[–] leo@lemmy.linuxuserspace.show 1 points 1 year ago

From my reading, yes, that's how the others work, too. Extensions can grab passwords from the password field itself before you get to submit them and record them elsewhere.

This bit of information may not be new, but the proof of concept, submitted to Google's extension store, is. It's proof you can yank passwords automatically placed there by managers in Chrome using an extension created expressly to do that and served up by Google. And Manifest v3, Google's new set of extension changes aimed at beefing up security, does nothing to prevent this.

Now, the finger pointing ensues.

[–] TheCreeperFace@lemmy.dbzer0.com 2 points 1 year ago (1 children)

TLDR of sorts

To test Google's Web Store review process, the researchers decided to create a Chrome extension capable of password-grabbing attacks and try to upload it on the platform.

The researchers created an extension posing as a GPT-based assistant that can:

Capture the HTML source code when the user attempts to login on a page by means of a regex.
Abuse CSS selectors to select target input fields and extract user inputs using the '.value' function.
Perform element substitution to replace JS-based obfuscated fields with unsafe password fields.

The extension does not contain obvious malicious code, so it evades static detection and does not fetch code from external sources (dynamic injection), so it is Manifest V3-compliant.

Notable website examples of lack of protections highlighted in the report include:

gmail.com – plaintext passwords on HTML source code
cloudflare.com – plaintext passwords on HTML source code
facebook.com – user inputs can be extracted via the DOM API
citibank.com – user inputs can be extracted via the DOM API
irs.gov – SSNs are visible in plaintext form on the web page source code
capitalone.com – SSNs are visible in plaintext form on the web page source code
usenix.org – SSNs are visible in plaintext form on the web page source code
amazon.com – credit card details (including security code) and ZIP code are visible in plaintext form on the page's source code

Finally, the analysis showed that 190 extensions (some with over 100k downloads) directly access password fields and store values in a variable, suggesting that some publishers may already be trying to exploit the security gap.

[–] leo@lemmy.linuxuserspace.show 1 points 1 year ago

the analysis showed that 190 extensions (some with over 100k downloads) directly access password fields and store values in a variable, suggesting that some publishers may already be trying to exploit the security gap.

That's the scary bit. This field has been accessible for quite some time...