cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
  • chiisanaA
    link
    11 year ago

    Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.

    • @p1mrx@sh.itjust.works
      link
      fedilink
      4
      edit-2
      1 year ago

      On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.

      Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.

      IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.

      • chiisanaA
        link
        11 year ago

        I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.