this post was submitted on 06 Sep 2023
69 points (100.0% liked)

Technology

37720 readers
542 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
Los@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org
69
Password-stealing Chrome extension smuggled on to Web Store (www.malwarebytes.com)
submitted 1 year ago by ijeff@lemdro.id to c/technology@beehaw.org
4 comments fedilink hide all child comments
 

cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
you are viewing a single comment's thread
view the rest of the comments
[–] dan@lemm.ee 4 points 1 year ago

I am not sure how Manifest V3 is relevant here?

Because they literally tout security as one of the primary reasons for forcing it onto people.

https://developer.chrome.com/docs/extensions/mv3/intro/

The first line is “A step in the direction of security, privacy, and performance.”

https://developer.chrome.com/blog/mv2-transition/

“Manifest V3 is more secure, performant, and privacy-preserving than its predecessor.”

It’s the first thing they say.

If it doesn’t prevent a malicious extension from lifting your password in perhaps the most dumb and naive way I can think of, then it seems fairly disingenuous to describe it as “secure”.