Andrea Grech, a programmer claims that he wrote a plugin / extension that could steal login IDs and passwords of the users who installed it. He will receive their facebook and twitter passwords and IDs in an email from the plugin.
In his own words, The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.
Update From The Original Blogger : This is not just Google Chrome, and…
Some have also commented as regards me demonstrating this on Google Chrome. Yes, other browsers can also be ‘vulnerable’ to this technique but I chose to try this on Google Chrome because it has apparently been dubbed as ‘the safest browser available’, and I’m not denying that. I wanted to make users aware that although Google Chrome is, undoubtedly, a safe browser to use, they should still be careful about what they install on their browsers and not blindly trust anything.
photo by orrange
Related posts:
- Google Chrome 6 – Sync Extensions & Updated UI Google has released Chrome 6 as on Chrome’s 2nd Birthday. Windows Linux and Mac versions have been updated. Most probably, Chrome has already been updated...
- Chrome OS UI Gets More Polished – Again, Time For launch ? – Updated With Screenshots Looking at the number of visible changes on Chrome OS these days, commercial launch during the Google IO summit in May sounds like a possibility....
- About:Flags Page UI Updated In Chromium Thank You Guys !! I mean, those UI designers in Chromium team. You guys have made my life a little more easier ! A small...
{ 12 comments… read them below or add one }
Why is this concerned as big news?
Every Greasemonkey script or user scripts (with cross origin request capabilities) can do it, too.
Every NPAPI\ActiveX plugin, can do it, too.
When you install something, you have to trust the author, this has always and will forever be the case.
This is not a security flaw, this is a naive user issue.
what are the precautions that we can take then ? install extensions only from trusted source ? All extensions on the gallery getting tested for something before approved ?
Only extensions that can be harmful to your system and local files are being approved first (meaning – only extensions with NPAPI (native C++ code) plugins).
thank you for the update !
Please note that in my post, I never stated that this either big news or that it is a ‘security flaw’.
I simply demonstrated that such things can be done and that users should be aware of what extensions to trust when installing 3rd party applications.
thanks Andreas !
I have now written a follow up in my post to clarify some misconceptions that have been floating around the internet.
thanks ! I updated the post !
btw, u became famous
When installing any plug-in/extension in any web browser we are warned to only Install add-ons/plug-ins/extensions from trusted parties.
So true PhistucK.
“This is not a security flaw, this is a naive user issue.”
This is how all web browsers secure this vulnerability.
thanks for the update ! I understand it now
Trusting the author really means nothing. What is the best practice?
Can we have a sandbox where a version of the browser without any add-ons can be opened if you want to do banking?
The danger i see is that even if the extension starts off being of good intentions, eventually, Darth Vader might take over its development and start doing bad things to good people. So it’s not a matter of if bad things will happen, it is when.
You wouldn’t want the evidence to be a mushroom cloud, do you?
try incognito window ..
no addons work there
{ 1 trackback }