Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.

cross-posted from [email protected]

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
  • dan@lemm.eeEnglish
    3·
    10 months ago

    I am not sure how Manifest V3 is relevant here?

    Because they literally tout security as one of the primary reasons for forcing it onto people.

    https://developer.chrome.com/docs/extensions/mv3/intro/

    The first line is “A step in the direction of security, privacy, and performance.”

    https://developer.chrome.com/blog/mv2-transition/

    “Manifest V3 is more secure, performant, and privacy-preserving than its predecessor.”

    It’s the first thing they say.

    If it doesn’t prevent a malicious extension from lifting your password in perhaps the most dumb and naive way I can think of, then it seems fairly disingenuous to describe it as “secure”.