Skip Navigation
Technology @beehaw.org
ijeff @lemdro.id

Password-stealing Chrome extension smuggled on to Web Store

cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
4 comments

  • Whatever reason Google makes up for Manifest 3, we all know it's to reduce efficient ad blocking.

  • I am not quite sure why there are all these bullet points that have very little todo with the actually issue.

    Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.

    I am not sure how Manifest V3 is relevant here? Nothing in Manifest V3 suggests that content_scripts can't access the DOM.

    The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.

    I'd also say this isn't directly the issue. Yes, content_scripts needing an extra permissions to be able to access password input fields would help of course.

    Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.

    Yes... because accessing the DOM and interacting with it is what browser extensions do. If anything, that 12.5% feels low, so I am going to guess it is the combination of accessing the DOM and being able to phone home with that information.

    A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.

    This, to me, feels like the core of the issue right now. The behavior as described always has been part of browser extensions and Manifest V3 didn't change that or made a claim in that direction as far as I know. So that isn't directly relevant right now. I'd also say that firefox is just as much at risk here. Their review process over the years has changed a lot and isn't always as thorough as people tend to think it is.

    Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.

    "A javascript library" is not going to do much against content_scripts of extensions accessing the DOM.

    The alert system seems better indeed, but that might as well become browser extension permission.

    To be clear, I am not saying that all is fine and there are no risks. I just think that the bullet point summary doesn't really focus on the right things.