dkd903
10th July 2010, 08:31 AM
In a major blow to Google Chrome’s claim of being one of the safest browsers, a developer has come up with an extension (http://digitizor.com/2010/07/10/major-blow-for-google-chrome-extension-capable-of-stealing-login-details-developed/) that he says can steal login details of the user.
Andreas Grech has developed an extension for Google Chrome which he says can steal login details of the user. After installing the extension, he says it will send the login ID and passwords of users to him through email. He says that so far his method has worked with GMail, Twitter and Facebook, among other sites.
This is what Grech wrote:
The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.
Grech has also published his code as a proof of how he achieved this. You can view it at his blog (http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html).
Until Google comes up with a proper patch to fix this, be careful of the extensions you install.
Andreas Grech has developed an extension for Google Chrome which he says can steal login details of the user. After installing the extension, he says it will send the login ID and passwords of users to him through email. He says that so far his method has worked with GMail, Twitter and Facebook, among other sites.
This is what Grech wrote:
The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.
Grech has also published his code as a proof of how he achieved this. You can view it at his blog (http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html).
Until Google comes up with a proper patch to fix this, be careful of the extensions you install.
