Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.

cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
    • Floey@lemm.ee
      40·
      10 months ago

      I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.

      • Norgur@kbin.social
        171·
        10 months ago

        Nothing really. The way add-ons interact with web pages is very similar.

        • suction@lemmy.world
          4·
          10 months ago

          Yeah. That’s why I don’t understand how using Firefox would be solution to this. The only solution is to not use extensions.