There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Password-stealing Chrome extension smuggled on to Web Store

cross-posted from !google

Original source: arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
CallMeM ,
@CallMeM@lemmy.ml avatar

or, hear me out, use firefox instead

Valthorn ,

Removes sunglasses My god! It’s so crazy it might actually work!

suction ,

What exactly makes Firefox more resistant against malicious extensions?

Norgur ,

Nothing really. The way add-ons interact with web pages is very similar.

suction ,

Yeah. That’s why I don’t understand how using Firefox would be solution to this. The only solution is to not use extensions.

p1mrx ,

Firefox requires explicit user interaction to grant the all_urls permission, although this only applies to Manifest V3. Here’s what it looks like on my extension:

https://sh.itjust.works/pictrs/image/3e757428-ec0d-4fb2-8a8c-5873e0c5e772.webp

I could’ve just reverted to Manifest V2 to avoid that step, but V3 will probably become mandatory someday.

chiisana ,
@chiisana@lemmy.chiisana.net avatar

Doesn’t chrome also need this? I know I get prompted to re-enable all urls permission every now and then when there’s a significant chrome and/or extension update.

p1mrx , (edited )

On Chrome, I only ever recall seeing the dialog when I install an extension, or if an extension is updated to use additional permissions.

Firefox MV3 is different, in that the all_urls permission cannot be granted on install. If an extension requests all_urls, it installs with the permission disabled. The user has to manually enable it for one site or all.

IPvFoo is mostly useless without all_urls, which is why I made it show that button until the permission is granted.

chiisana ,
@chiisana@lemmy.chiisana.net avatar

I see! Yeah I think Chrome asks one time on install and most users just blindly accept everything. Prompting on first actual use is a good idea.

Floey ,

I use Firefox but this is kind of silly. The real advice is use very few addons. On Firefox I use only ublock.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •