Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Extension Steals Login Details

Posted by kdawson on from the hey-it-was-sitting-there-in-the-dom dept.

An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.

4 of 155 comments (clear)

  1. How is this different by yoyhed · · Score: 5, Insightful

    How is this different than just downloading and installing a program? Chrome (and Firefox for that matter) give you a warning about trusting the source before installing an extension. Does it surprise anyone that allowing malicious code to run on their computer can expose their information?

    --
    WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
    1. Re:How is this different by Tom · · Score: 4, Insightful

      Does it surprise anyone

      Yes, anyone who is not a geek.

      Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. OK... by The+MAZZTer · · Score: 4, Insightful

    He's just doing basic stuff here with that extension. When you try to install any extension Chrome throws up a warning that the extension can access your personal data on whatever sites the extension author has requested access to in the manifest.json file. Ignore that warning at your own peril, especially if it doesn't match with what the extension description says it should do.

    Lots of extensions inject content scripts. Lots of extensions do random AJAX calls to random sites that the user doesn't have open in a tab. That he put the two together to steal data is hardly revolutionary.

    The only problem I see is that if the author specifies enough websites in their extension permissions, Chrome truncates them to "multiple sites" which is a bit ambiguous.

  3. "For now.,," by John+Hasler · · Score: 4, Insightful

    > For now, only install plugins from people you know and trust...

    Um, "for now"?

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.