Forgot your password?
typodupeerror
Google Security Privacy Technology

Google Chrome Extension Steals Login Details 155

Posted by kdawson
from the hey-it-was-sitting-there-in-the-dom dept.
An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.
This discussion has been archived. No new comments can be posted.

Google Chrome Extension Steals Login Details

Comments Filter:
  • by yoyhed (651244) on Saturday July 10, 2010 @02:41PM (#32861260)
    How is this different than just downloading and installing a program? Chrome (and Firefox for that matter) give you a warning about trusting the source before installing an extension. Does it surprise anyone that allowing malicious code to run on their computer can expose their information?
    • Re: (Score:1, Redundant)

      by Ziekheid (1427027)

      True. Nuff said.

    • Re: (Score:3, Interesting)

      by binkzz (779594)
      You are correct, and this "news" article is hardly shocking or news. But I do agree that plugins have too many permissions.for all sites that you browse, and that security could be a lot tighter.
      • by Jurily (900488)

        Does a tight Noscript setup block the attempts of malicious plugins to communicate with malicious sites?

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Definitely not. Noscript only prevents scripts running on web pages.

        • by n0-0p (325773) on Saturday July 10, 2010 @04:17PM (#32861672)

          NoScript does nothing whatsoever to restrict extensions or plugins. Nor would it even possible for it to do so without a major redesign of Firefox's extension system including the introduction of a security model with trust levels.

          • Re: (Score:2, Funny)

            by Anonymous Coward

            NoScript does nothing whatsoever to restrict extensions or plugins.

            *gasp* HERETIC!!! This is SLASHDOT, unbeliever! The almighty NoScript and its blessed son FlashBlock are the infallible answers to every single problem you have ever had or will ever have. REPENT! REPEEEEEEENT!!!

          • by TheLink (130905)
            If you're paranoid, run multiple browsers using different accounts (under a main user).

            For example, you login as mainuser. Browser1 runs as wwwbrowser1, browser2 runs as wwwbrowser2.

            You do your banking stuff with browser1 which has zero or only extensions you are sure you can trust. You do your normal browsing with browser 2.

            You configure browser 2 to have a different skin (browser 1 has default skin), so that you can more easily tell the difference.

            This way if browser 2 is pwned. It is lesss likely to have
            • by n0-0p (325773)

              I think you may have intended to reply to someone else. I was simply answering a question on NoScript's capabilities.

              Also I'm quite familiar with running multiple profiles; my job would actually be impossible without it. In Chrome you simply pass the --user-data-dir switch. I don't see how that's any worse than running Firefox with the -P and -no-remote switches (or the old way requiring env vars). I am curious how you run IE under a separate profile without using a different Windows accounts. I didn't thin

              • by TheLink (130905)

                You did mention "introduction of a security model with trust levels".

                And I don't think it's going to be easy to do right while allowing many types of extensions - after all if there can be extensions that help manage passwords, it'll be possible to have extensions that can abuse them.

                So IMO it is better to just run different browser instances as different user accounts as I suggested.

                Running browser instances as the same user but different data directories does not protect you as much. Because if the browse

                • by n0-0p (325773)

                  You're conflating a few different things. There's origin security and there's local client security. Origin security is what protects you from one site accessing browser data from another site. Any discussion of extension permissions would apply primarily to origin security, because once you install anything with local client access you've already lost control. And when considering origin security, separate profiles within the same OS-level user account provide one method of strict enforcement.

                  Now, if your

                  • by TheLink (130905)

                    Conflating or not, I prefer a more role/task based concept.

                    That way I can use one browser for lower security level stuff (whether visiting sites, or having more fancy plugins), and not have it affect my other browser which I use for higher security level stuff.

                    And I can do this without having to buy multiple computers.

                    If the browsers support sandboxing that's great. But whether they do or not does not affect my approach. I'd still be using multiple browsers, because it is just better "hygiene", and a more s

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Funny you should mention NoScript, since that's a plugin that's already been involved in its own scandal [hackademix.net]. Not as bad as stealing login information but still a breach of the users' trust.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Some check boxes showing which permissions the plugin wants, and which permissions you will give it, would be nice, easy, and effective at preventing something titled as a "bookmark enhancer" from stealing your passwords

    • by Tom (822) on Saturday July 10, 2010 @03:06PM (#32861396) Homepage Journal

      Does it surprise anyone

      Yes, anyone who is not a geek.

      Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

      • by rumith (983060)
        Yes, but this crap is reported on Slashdot, which is advertised to deliver news for nerds, not plumbers! Hell, this guy didn't even try to upload his exploit to the official extension repository because, as he claims, he "didn't want to exploit the vulnerability and harm end users".
        Remember when Google pulled a vulnerability exploit proof of concept app from the Android Market, and purged it from end-user phones? That was a security research project. And this is just an A-grade crap.
        • by BigDXLT (1218924)
          The news has to be dispersed somewhere. It's a reminder that we can't just dump alternate browsers on our friends and expect them to stay 100% secure. I'm not saying it's worse than IE, but if some people are gullible enough to download that virus program, they're sucker enough to download malicious plugins too.
          • by yoyhed (651244)

            if some people are gullible enough to download that virus program, they're sucker enough to download malicious plugins too

            And that's not the browser's fault in any way. You can't stop idiotic users from downloading malicious shit unless you stop them from downloading ANY program or plugin. They'll ignore every warning they see because they don't feel like reading.

      • by yoyhed (651244)
        What I meant by "does it surprise anyone" is "this is sensationalist BS to the Slashdot crowd". You're correct, but you're also missing my point - that this is about the same as downloading and installing any program, as far as the actions a user has to take to do so.

        Clueless people can go install LimeWire just as easily as they can install a bad extension for Chrome. Hell, look at how easy it is to download and install something from IE - try the installer at http://www.google.com/chrome [google.com] in IE8. It's a
      • by hitmark (640295)

        sad thing is, most non-geeks will not read this unless it happens to land on some front page in scare-types.

        and even then they will likely not see the simple solution (be smarter when you browse) and instead hit the government "protect me!" button over and over like a caffeinated squirrel.

      • You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter

        Or, you could educate the user that fire and gasoline don't mix. They don't need to know the chemical reaction side of it, but simply informing them that these two things don't mix shouldn't be too difficult. (I know you were being extreme to prove a point, so was I).

        I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or th

        • by snl2587 (1177409)

          I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few? I resist the notion that learning should be back-seated for short-term profits. In the long run, people will become too stupid to buy those products and we're stuck with even dumber products.

          Funny thing: how many people do you know in regular society that can put together a lightbulb? How about a microwave? What about the latest iPhone?

        • by Tom (822)

          Or, you could educate the user that fire and gasoline don't mix.

          Yes, and to only walk on green, and to install antivirus, and to have safe sex, insurance, not go into certain parts of town, keep the car in working condition, verify their patch level is current, check all money for forgery is easy as well, and two million other things.

          There is only so much that a human brain can actually act on. Storage is not the problem, recall is. Sometimes, the right decision is to educate people, but it is not a panacea. If it is easier to simply design in a safety than to educate e

          • It's not about memorizing facts, or about recalling something, it's about knowing what you know and what you don't know. I don't know how to use a chainsaw properly, but I know enough to know that I don't know, and that I would need to learn how or I'm going to get hurt.

            If it is easier to simply design in a safety than to educate everyone and keep them educated, then building in the safety is the proper thing to do.

            That's true, if the safety has no downsides whatsoever. Otherwise, it bears more discussion.

            For example, the iPhone and the Great Firewall of China [wikipedia.org], both of which claim to be making things more secure and stable for you by removing your choi

            • by Tom (822)

              For example, the iPhone and the Great Firewall of China, both of which claim to be making things more secure and stable for you by removing your choice. Even if the iPhone is more secure for the kind of user who would download BonziBuddy, I don't think it's worth it, and this is exactly what is meant by dumbing down.

              Here's the funny thing: You're dead wrong. I'm an iPhone developer. There is no "dumbing down" here at all. Anything I want it to do, I can make it do. However what has happened, in comparison to 1980s computers, is that the user has most of the complicated stuff hidden away from him. That is not a conspiracy, it is the normal process by which things mature. Look at cars: Early on, you'd better know quite a bit about it, just to drive one. These days, you put your car into the ignition, and you care nothing

              • I'm an iPhone developer. There is no "dumbing down" here at all.

                For the user?

                Anything I want it to do, I can make it do.

                Jailbroken?

                the user has most of the complicated stuff hidden away from him.

                In the case of the iPhone, it's not that the complicated stuff is hidden. It's that it's actually forbidden -- see above. Can you make it do anything Apple doesn't explicitly allow?

                That is not a conspiracy,

                I never suggested it was.

                Nor do I think Apple and China are in a conspiracy to censor technology -- they just seem to agree (quite publicly and openly) that computer users need to be protected from themselves, beyond the point of making it simpler and more usable, and to the point of removing choices.

                Look at cars: Early on, you'd better know quite a bit about it, just to drive one. These days, you put your car into the ignition, and you care nothing about what goes on under the hood.

                I do,

                • by Tom (822)

                  Nor do I think Apple and China are in a conspiracy to censor technology -- they just seem to agree (quite publicly and openly) that computer users need to be protected from themselves, beyond the point of making it simpler and more usable, and to the point of removing choices.

                  Removing choices is what design is all about. In the words of Antoine de Saint Exupery: "You know you've achieved perfection in design. Not when you have nothing more to add. But when you have nothing more to take away."

                  A light switch works so well precisely because it gives you two options: "Lights on" or "Lights off", instead of presenting you with a spectrum of things you can do with electron flow through a wire.

                  Anything I want it to do, I can make it do.

                  Jailbroken?

                  *laugh* no. Why should I? Sure, some Apps would not be accepted in the App Store, but I can s

                  • A light switch works so well precisely because it gives you two options: "Lights on" or "Lights off", instead of presenting you with a spectrum of things you can do with electron flow through a wire.

                    Mostly because, in that situation, it would be useless.

                    By contrast, despite being automatic, my car's transmission also has a first and second gear and an overdrive toggle, not to mention neutral and reverse. That's just the transmission -- my car also has four separate braking mechanisms, each with their own unique interface. It may be possible to simplify this, but people are willing to put up with this situation from a car.

                    Take a moment to look into a car sometime. Count how many separate controls there

                    • by Tom (822)

                      Take a moment to look into a car sometime. Count how many separate controls there are, and remind yourself that this thing's purpose is ultimately to move you from point A to point B.

                      I know. Cars are some of the things that you quickly come across when you teach yourself about design. And I mean car controls, not bodies. :-)

                      The point is, of course, that the purpose is not to get your from A to B. If that were the ultimate purpose, the interface could be a lot simpler - and is. The interface for a taxi is "open door, sit down, close door, talk to driver, wait, pay driver, open door, get out, close door".

                      All the additional complications of a car are because you want to drive from A to B y

                    • All the additional complications of a car are because you want to drive from A to B yourself. Plus quite a lot of the controls have nothing to do with driving, they're for the stereo or the AC or they serve secondary purposes such as the gas gauge or the maintainance lamp.

                      And this maps well to computers.

                      The additional complication of having to change the oil occasionally (or have someone else do it), knowing what the RPM gauge means (or at least that redlining is bad), needing a key to get into your car, etc, all have reasonable analogies in the computer world, and there doesn't seem to be much in a computer that doesn't have a similar analogy in the car interface.

                      The additional stuff, like the stereo, air conditioning, windows, etc, maps to additional stuff users might have

      • Does it surprise anyone

        Yes, anyone who is not a geek.

        Look, to us tech people, these things are obvious.

        Please, most people (>90%) posting on Slashdot are perfectly ignorant of how security works. Don't toot your/our horn too much.

      • by Yvanhoe (564877)
        Because, obviously, the average user who apparently is not able to read a warning on his computer screen is likely to go look for information on security blogs...
      • I might argue that you have cited the reason our society is most likely to fail. We protect morons from themselves, so that they can survive to breed. Society is selectively breeding more and more morons with each generation.

        If the idiot wants to peer down his fuel tube with a match, LET HIM DO IT!! Don't stand in his way. Hell, let's facilitate the operation - move the gas tank into the trunk, and put a trap door on top of the tank, and put a box of matches right beside the trap door.

        The gene pool real

        • by Tom (822)

          We protect morons from themselves, so that they can survive to breed.

          That is true, and it irks me to no end. However, the real problem is not selection - most of the moronic things are not deadly. The real problem is that we encourage stupidity.

          Just look at the idols of the day. Most of them are either dumb as shit, or at least pretend to be (I'm looking at you, Paris). Dumb is "cool". The whole football/soccer world cup has been a great example - otherwise smart people use it as an opportunity to become total idiot assholes for an evening, or several.

          Selection does not only

    • by scamper_22 (1073470) on Saturday July 10, 2010 @08:49PM (#32863440)

      We, developers take it as a given that programs (and thus extensions) should be able to do anything. Arbitrary code if you will.
      If you actually think about it, it's a little nuts. You download an application, and it could reformat your harddrive.

      Truth be told, even we programmers simply rely on 'trust' that the various programs and extensions aren't doing anything evil.
      I don't go through every line of source code. I trust the developers. I trust a popular program. But it really is just that... trust.

      Now the OS does prevent somethings to enhance trust. There are file permissions for example.

      Other web technologies have other security. Silverlight for example can open local files... but the user has to manually select it via the windows file dialog. You can't program in a file location.
      They were smart enough to not just take the Active X approach were 'just because you visit this website and run the application, it can do anything'. They build limitations into the environment.

      So what safeguards does a browser provide?
      Well, password information is crucial. Quite frankly, any application that even attempts to access a password field should be blocked... unless the user explicitly understand this. And I don't mean some generic warning message that applies to every extensions.

      And so the point is... extension are no different than downloading and installing a regular program... but they bloody well should be!

      • by yoyhed (651244)
        That's a good point. AFAIK, Chrome does have some sort of listing of what permissions the extension is requesting at installation - however, it should probably have an extra warning for password stuff.

        Ignorant people will probably skim over the initial warning because they see a bunch of stuff they don't understand (or more commonly because they DON'T EVEN BOTHER TRYING TO READ IT) - so the password warning would have to be as blunt as possible.

        I can't believe how many people just don't even bother re
    • I am a little confused here. This article very specifically singles out Google Chrome. But, it turns out the same thing could be done with any browser?

  • OK... (Score:5, Insightful)

    by The MAZZTer (911996) <megazzt@gmai[ ]om ['l.c' in gap]> on Saturday July 10, 2010 @02:42PM (#32861266) Homepage

    He's just doing basic stuff here with that extension. When you try to install any extension Chrome throws up a warning that the extension can access your personal data on whatever sites the extension author has requested access to in the manifest.json file. Ignore that warning at your own peril, especially if it doesn't match with what the extension description says it should do.

    Lots of extensions inject content scripts. Lots of extensions do random AJAX calls to random sites that the user doesn't have open in a tab. That he put the two together to steal data is hardly revolutionary.

    The only problem I see is that if the author specifies enough websites in their extension permissions, Chrome truncates them to "multiple sites" which is a bit ambiguous.

  • by Anonymous Coward

    Guy learns to program, abuses trust of software users. Film at 11?

  • Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions.

    So avoid installation of unnecessary problems by not installing anything else than really necessary extensions for your browser activities. What browser manufacturers needs to consider is how to improve security related to extensions and plugins. One way is to make sure that the plugins and extensions run in isolated subprocesses with lowest necessary privileges.

    • by Khyber (864651)

      "Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions."

      *coughFLASHcoughJAVASCRIPTcoughACTIVEXcough*

  • by gdshaw (1015745) on Saturday July 10, 2010 @02:50PM (#32861310) Homepage

    ... a proof-of-concept Google Chrome browser extension that steal users' login details.

    That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

    • by Nemilar (173603)

      I get your point (that a kernel module, being low-level, gives you greater access), but I think a malicious browser extension is worse.

      * It's a lot less likely that a user will install a malicious kernel module, as compared to a browser plugin.
      * It's a lot easier for someone with bad intentions, a few hours, and a little coding experience to write a browser plugin, than it is for them to write a kernel module.
      * It's much easier to distribute a plugin, and the install base is much greater.
      * The signal/noise

      • by hitmark (640295)

        and this is why i dont worry much about rootkits for home computers, as even access to just the users account will likely expose a whole lot of valuable data to whoever wants it. so if one want more security the valuable data should be accessed by way of an account that only do so, and have no real contact with the everyday user activity.

        heck, was there not talk about a livecd specifically for banking?

      • by gdshaw (1015745)

        You're reading too much into my subtle sarcasm: I was merely suggesting that this is a highly unsurprising result. All that has been discovered here is a special case of the rule that your security is at risk if you download and execute malicious code.

    • by hilather (1079603)

      ... a proof-of-concept Google Chrome browser extension that steal users' login details.

      That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

      I can't wait to see how long the instructions for installing your kernel module will be. Remember you have to /trick/ a regular user.

      • by gdshaw (1015745)

        OK, let me explain. The kernel module was what's known as a 'rhetorical device' intended to illustrate a point. The point was that writing a program do commit a dastardly deed, then executing it in a context where it has permission to commit that dastardly deed, is (a) not news, and (b) not even a security violation.

  • Is this different than someone deciding to run a bash script that wipes their hard drive, as root?

    So you can install an extension that's bad. Like you can open an e-mail attachment that's bad. Like you can open a programmable document that has a bad macro.

    Seriously, where's the security concern? Don't install crap extensions and you won't have your passwords stolen through crap extensions. Easy enough?

  • how about a sandbox? How about stealing some Ideas from java? I think one can introduce a "Wants to read password" exception" or a "wants to transfer data outside" exception. And at least firefox points out to me that installing extensions requires thrusting the author
    • Re:Sandbox? (Score:5, Funny)

      by christoofar (451967) on Saturday July 10, 2010 @02:56PM (#32861352)

      I think you might also risk catching something if you're *thrusting* the author.

    • by symes (835608)
      For your average user, sometimes it is enough for a piece of software to come with a note saying that installing this app is absolutely essential. So the question is, do we harden the browser or do we harden the user? The latter is impossible, and thinking otherwise is potentially negligent. Seriously, people have tried suing burger chains because they got fat on burgers and chips. People have tried suing bar owners because they drank too much and crashed their car. The depths of stupidity know no limits. S
    • by selven (1556643)

      The Chrome extensions system has the concept of permissions, where an extension must list the special permissions it needs in its manifest.json file. If the extension requires special permissions, the user is warned. If the extension tries to do something requiring permissions without asking for them, it fails. One comment in TFA says that the proof of concept extension given does require permissions. If that's true, then this is a nonstory, since it would be just as hard to get in by convincing the user to

      • by drolli (522659)

        Yes, i think its an nonstory.

        However:

        Me (to secretary): I can access the webpage without getting a warning about the certificate
        Secretary: I cant access it without problems
        I (sitting besides her) see that she takes 0.1 sec to click the warning away: Ahem, you just got the warning!
        Secretary: yes, its always there.

        (And this was an company-internal application where the fix was to download the certificate exactly from the same untrusted website - that educates the users well)

        Maybe the permission for "reads pas

        • by n0-0p (325773)

          There isn't anything like "reads password data," nor could there be without drastic changes to the DOM standard and how JavaScript is implemented in modern browsers. The way the system works is that the installation manifest states what origins a content script will run in. And any script executing within an origin has access to all that origin's data. This is conveyed to the user with a message like "this extension can access data from site X.com" or "this extension can access data from all sites."

          If you h

          • by drolli (522659)
            Did you read the document you cite? Its says: "We focus on benign-but-buggy extensions"; this seems to not the case here.
            • by n0-0p (325773)

              Not only have I read the paper, I've worked with a few of the authors on this subject matter. And that's why I know that it's essentially impossible to provide a useful extension API that is not also vulnerable to intentional abuse. Claiming the opposite is akin to claiming you've refuted Gödel's first incompleteness theorem. And if you've succeeded at either, I'd like to see the evidence. (Just a heads-up, you're starting to line up a pretty tall list of things you'll need to accomplish to support you

              • by drolli (522659)

                Before i claim the opposite, i would like to see your mathematical proof that a "useful" API can not protect against intentional abuse. (Citation?)

                • by n0-0p (325773)

                  You have this backwards. I can point to every major browser, along with research directly addressing the topic. Whereas you haven't provided one iota of evidence to back up your misguided and ignorant statements.

                  Since it's obvious you have nothing of value to contribute, I'm just going to close this out with a suggestion. When confronted with a topic you obviously know nothing about, please resist the temptation to make noise just so people will notice you. It just wastes everyone's time and prevents you fr

    • by icepick72 (834363)
      Whooaaa buddy! ... you can imagine thrusting the author in a sandbox all you want but let's keep this discussion clean.
    • by n0-0p (325773)

      It's just sad that you find it perfectly acceptable to comment like this on an application you obviously know absolutely nothing about. Chrome actually does run extensions in a sandbox. It also warns on installation of an extension, and explains what permissions that extension requires. If an extensions attempts something require a privilege that wasn't in its installation manifest the operation fails. As I said in another comment, the UI has issues and could certainly be improved, but the fact is that Chro

  • "For now.,," (Score:5, Insightful)

    by John Hasler (414242) on Saturday July 10, 2010 @03:04PM (#32861388) Homepage

    > For now, only install plugins from people you know and trust...

    Um, "for now"?

  • Erm, news? (Score:4, Insightful)

    by thePowerOfGrayskull (905905) <{moc.liamg} {ta} {esidarap.cram}> on Saturday July 10, 2010 @03:14PM (#32861426) Homepage Journal
    So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...
    • by Jahava (946858)

      So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...

      Yeah, combined with the Android rootkit [slashdot.org] it seems like Google has no concept of security.

      These "security researchers" need to understand that there is neither respect nor prestige creating software that asks permissions to do something and then does it. They are merely pointing at various faces of a larger system flaw: that people who don't understand computers will not understand what any type of software can do to their computers. There really is no "best case" solution for this problem. Either choose a ve [apple.com]

      • They are merely pointing at various faces of a larger system flaw: that people who don't understand computers will not understand what any type of software can do to their computers.

        That's an excellent point, and one that most people miss. No matter how much security you lather onto a system (infrastructure and AV) or how difficult you make it to do mundane tasks (I'm looking at YOU uac and gksudo), it's fatally flawed if it has to be used by a person.

  • capable of running whatever code I instruct it to? Waah, I want big government/big business to protect me!

    Seriously though, this isn't news. Extensions are intended to be general purpose, and in order to be powerful enough to do what you want, some risks are taken. I suppose you could take a partial sandboxing approach such as BitFrost or that taken in Android to warn users of what permissions are being requested (and mitigate the effect of expoits), but there's a tradeoff between functionality and safety.

  • Security is only as effective as the experience and intelligence and of the user. You can't fix stupid. - Ron White
  • I wrote an extension to FF long ago that was reading any form field at all, including password fields and was able to send this information to any address on the web via an http call. Starting from FF version 2 the method I used to read the form field (basically enumerating the form input fields with javascript) could no longer read the password field from a form.

  • In other news ... (Score:4, Insightful)

    by GNUALMAFUERTE (697061) <almafuerte@nOspAM.gmail.com> on Saturday July 10, 2010 @04:25PM (#32861714)

    Executing arbitrary code downloaded from the internet might lead to arbitrary code execution. Not news.

  • ...WHY Google allows so much potential access of personal data to installed Extensions?!

    I mean every time I tried to install an extension on Chrome I got the warning that it could potentially access my user data and or browser history, and I still don't see any reason that extensions should (even potentially) be allowed access to that information!

  • Safari on iOS (iPad, iPhone, iPod) doesn't have extensions. On iOS, instead of an extension, the developer just creates a whole other browser, and that has to be audited to be deployed. Although you may be able to write this for Safari on Mac/Windows, those extensions have to be signed to run, and signatures can be revoked immediately, so even if you got this deployed, at the first sign of trouble it stops running on 100% of systems. There is very little point in tagging a wall that can repaint itself insta

  • by caekys (1845106)
    Installing another mouse on your computer steals your cursor control.
  • Chrome extensions are sandboxed, unlike firefox extensions. Through the extension API there is no access to the password database for extensions. Even when the user looks at passwords in chrome the password is not written in a window, it is written directly on the canvas, giving no access to hackers.
    The only way to get to the password database is to connect directly to the opensql database and decrypt the passwords with the userID - and that is how chrome password dumpers work.

    this story is pretty mean

To thine own self be true. (If not that, at least make some money.)

Working...