Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Google Security Privacy Technology

Google Chrome Extension Steals Login Details 155

Posted by kdawson
from the hey-it-was-sitting-there-in-the-dom dept.
An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.
This discussion has been archived. No new comments can be posted.

Google Chrome Extension Steals Login Details

Comments Filter:
  • by n0-0p (325773) on Saturday July 10, 2010 @03:17PM (#32861672)

    NoScript does nothing whatsoever to restrict extensions or plugins. Nor would it even possible for it to do so without a major redesign of Firefox's extension system including the introduction of a security model with trust levels.

  • by n0-0p (325773) on Saturday July 10, 2010 @03:18PM (#32861682)

    Chrome already lists the permissions an extension requests at installation. The UI on that interaction is junk, so you need to be a fairly knowledgeable user to make heads or tails of it, but the information is definitely there.

  • by scamper_22 (1073470) on Saturday July 10, 2010 @07:49PM (#32863440)

    We, developers take it as a given that programs (and thus extensions) should be able to do anything. Arbitrary code if you will.
    If you actually think about it, it's a little nuts. You download an application, and it could reformat your harddrive.

    Truth be told, even we programmers simply rely on 'trust' that the various programs and extensions aren't doing anything evil.
    I don't go through every line of source code. I trust the developers. I trust a popular program. But it really is just that... trust.

    Now the OS does prevent somethings to enhance trust. There are file permissions for example.

    Other web technologies have other security. Silverlight for example can open local files... but the user has to manually select it via the windows file dialog. You can't program in a file location.
    They were smart enough to not just take the Active X approach were 'just because you visit this website and run the application, it can do anything'. They build limitations into the environment.

    So what safeguards does a browser provide?
    Well, password information is crucial. Quite frankly, any application that even attempts to access a password field should be blocked... unless the user explicitly understand this. And I don't mean some generic warning message that applies to every extensions.

    And so the point is... extension are no different than downloading and installing a regular program... but they bloody well should be!

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...