Chrome extensions flaw allows password theft

 

Gallery

By Nicole Kobie

Posted on 12 Jul 2010 at 10:40

Extensions in Google Chrome are open to a password-stealing hack, according to a security researcher.

Because such third-party add-ons have access to the document object model (DOM) in the Chrome browser - a key API which manages information - it is possible to create an extension that can read form fields and gather passwords and logins, said Andreas Grech in a blog post.

You should always be careful about what third-party applications you install

Grech created a "simple" proof of concept plug-in that stripped such data from well-known web pages as the user logged in, and then emailed it back to him. The flaw works against sites including Gmail, Facebook and Twitter, the researcher claimed.

"Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details, along with the URL, and then proceeds to submit the form normally as to avoid detection," Grech wrote.

Grech said the technique could also be used to steal cookies and other browser data. "The point I am trying to make here is that you should always be careful about what third-party applications you install," he said.

A Google spokesperson stressed that the flaw wasn't specifically in Chrome or its extensions. "A user must explicitly approve any powerful capabilities requested by a Chrome extension before it can be installed, and the extension is limited to that approved functionality."

"Chrome's sandboxing technology keeps extensions separate from the browser kernel, helping prevent any malicious extension from accessing underlying browser architecture," the spokesperson added. "Google can remove any malicious extension from the gallery and disable the extension for existing users. We also always advise users to only download extensions from authors they know and trust."