Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Extension Steals Login Details

Posted by kdawson on from the hey-it-was-sitting-there-in-the-dom dept.

An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.

20 of 155 comments (clear)

  1. How is this different by yoyhed · · Score: 5, Insightful

    How is this different than just downloading and installing a program? Chrome (and Firefox for that matter) give you a warning about trusting the source before installing an extension. Does it surprise anyone that allowing malicious code to run on their computer can expose their information?

    --
    WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
    1. Re:How is this different by binkzz · · Score: 2, Interesting

      You are correct, and this "news" article is hardly shocking or news. But I do agree that plugins have too many permissions.for all sites that you browse, and that security could be a lot tighter.

      --
      'For we walk by faith, not by sight.' II Corinthians 5:7
    2. Re:How is this different by Tom · · Score: 4, Insightful

      Does it surprise anyone

      Yes, anyone who is not a geek.

      Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

      --
      Assorted stuff I do sometimes: Lemuria.org
    3. Re:How is this different by n0-0p · · Score: 4, Informative

      NoScript does nothing whatsoever to restrict extensions or plugins. Nor would it even possible for it to do so without a major redesign of Firefox's extension system including the introduction of a security model with trust levels.

    4. Re:How is this different by n0-0p · · Score: 4, Informative

      Chrome already lists the permissions an extension requests at installation. The UI on that interaction is junk, so you need to be a fairly knowledgeable user to make heads or tails of it, but the information is definitely there.

    5. Re:How is this different by yoyhed · · Score: 2, Interesting

      I agree with your sentiments. However, note that in IE it does NOT warn you at all - that's not good. There should be one warning.

      However, that's beside my point. I was just demonstrating that Chrome has plenty of warning for installing an extension, and that people should not get their panties in a bunch because *gasp* users ignoring a warning about downloading and installing software from third parties can lead to malicious code execution.

      --
      WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
    6. Re:How is this different by Anonymous Coward · · Score: 2, Funny

      NoScript does nothing whatsoever to restrict extensions or plugins.

      *gasp* HERETIC!!! This is SLASHDOT, unbeliever! The almighty NoScript and its blessed son FlashBlock are the infallible answers to every single problem you have ever had or will ever have. REPENT! REPEEEEEEENT!!!

    7. Re:How is this different by nacturation · · Score: 4, Funny

      Maybe what the browsers need is some sort of vetted App Store for extensions, where all submissions are reviewed by a central authority and approved or rejected?

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    8. Re:How is this different by scamper_22 · · Score: 3, Informative

      We, developers take it as a given that programs (and thus extensions) should be able to do anything. Arbitrary code if you will.
      If you actually think about it, it's a little nuts. You download an application, and it could reformat your harddrive.

      Truth be told, even we programmers simply rely on 'trust' that the various programs and extensions aren't doing anything evil.
      I don't go through every line of source code. I trust the developers. I trust a popular program. But it really is just that... trust.

      Now the OS does prevent somethings to enhance trust. There are file permissions for example.

      Other web technologies have other security. Silverlight for example can open local files... but the user has to manually select it via the windows file dialog. You can't program in a file location.
      They were smart enough to not just take the Active X approach were 'just because you visit this website and run the application, it can do anything'. They build limitations into the environment.

      So what safeguards does a browser provide?
      Well, password information is crucial. Quite frankly, any application that even attempts to access a password field should be blocked... unless the user explicitly understand this. And I don't mean some generic warning message that applies to every extensions.

      And so the point is... extension are no different than downloading and installing a regular program... but they bloody well should be!

  2. OK... by The+MAZZTer · · Score: 4, Insightful

    He's just doing basic stuff here with that extension. When you try to install any extension Chrome throws up a warning that the extension can access your personal data on whatever sites the extension author has requested access to in the manifest.json file. Ignore that warning at your own peril, especially if it doesn't match with what the extension description says it should do.

    Lots of extensions inject content scripts. Lots of extensions do random AJAX calls to random sites that the user doesn't have open in a tab. That he put the two together to steal data is hardly revolutionary.

    The only problem I see is that if the author specifies enough websites in their extension permissions, Chrome truncates them to "multiple sites" which is a bit ambiguous.

  3. Standard abuse of trust. Is this /. worthy? by Anonymous Coward · · Score: 2, Insightful

    Guy learns to program, abuses trust of software users. Film at 11?

  4. In other news ... by gdshaw · · Score: 4, Funny

    ... a proof-of-concept Google Chrome browser extension that steal users' login details.

    That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

  5. Re:Sandbox? by christoofar · · Score: 4, Funny

    I think you might also risk catching something if you're *thrusting* the author.

  6. "For now.,," by John+Hasler · · Score: 4, Insightful

    > For now, only install plugins from people you know and trust...

    Um, "for now"?

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. Re:UGH! When are you going to learn?? by countertrolling · · Score: 2, Interesting

    They ARE censoring their search results. And they are doing that everywhere, not just China. What makes you think they aren't? Because they say so? Please... stop

    --
    For justice, we must go to Don Corleone
  8. Erm, news? by thePowerOfGrayskull · · Score: 3, Insightful

    So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...

  9. What is this browser safety you speak of? by nickdwaters · · Score: 2, Insightful

    Security is only as effective as the experience and intelligence and of the user. You can't fix stupid. - Ron White

  10. In other news ... by GNUALMAFUERTE · · Score: 3, Insightful

    Executing arbitrary code downloaded from the internet might lead to arbitrary code execution. Not news.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
  11. Andreas Grech by sycodon · · Score: 2, Insightful

    Someone should illustrate his lack of body armor by shooting at him with a large caliber rifle.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  12. In another news by caekys · · Score: 2, Funny

    Installing another mouse on your computer steals your cursor control.