Articles
Blogs
Kits
Forums
Reported by The Next Web, a developer created a plugin for the Google Chrome browser that can watch users’ login information and send that information to him via email. The programmer who created the attack, Andreas Grech, coded the plugin in jQuery. Grech is only demonstrating the attack and isn’t using it maliciously but it is more than a proof of concept, it’s real and in the wild. He details the attack on his blog and reveals the code behind the exploit. He says that he has tested it and it has been successful against major sites like Facebook, Gmail, and Twitter.
Grech’s explanation from his blog of how the attack works:
The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
Grech also mentions that while he used this attack to steal login information, it could also be used to steal cookies or hijack browsing sessions. This attack is a good reminder that IE isn’t the only vulnerable browser around and to be cautious when installing 3rd-party extensions. Until Google patches this hole, right now it is a good idea to be extra careful about checking whether a plugin comes from a reputable source.
Is this even patchable? Isn’t this vulnerability present in firefox and ie too? I know firebug can see my form fields… what’s stopping it from emailing them? I think this is just an inherent problem with browser plugins.
Don’t believe it’s patchable, nor even worth mentioning. This particular note is about as deep as saying “running executable files from sources you don’t know could put you at risk”. Any executable from an unknown source is a danger, and browser plugins are no exception. That would be why every time you install one on any browser the pop up a message saying “make sure you trust the source you are getting this from, are you sure you want to install it?”
Pity he’s not got better things to do with his time !
Just to make one thing clear, I did not use this extension to steal login credentials.
In the follow up, I clarified that I only tested this on myself and did not distribute it nor upload it to the Google Chrome Repository.
What is this article doing on technibble.
@Josh Because as PC Repair professionals we need to be aware of potential threats to our clients’ data so we can be best prepared to help them stay safe.
This is a serious danger just like a virus. People download and run those .exe files in emails masquerading as PDFs or other document type files. Why because they don’t look at the details. So a plug-in like this is just as dangerous as those. We may see the details and avoid these but how many jobs have any of you been on that were due to users careless mistake.
I suppose any browser can have addons installed. Is it actually specific to Chrome? Surley firefox or opera could also have this type of add-on created.
We’ll have to stop using google chrome.
No question that articles like this should be posted on technibble. Most people talk about the potential security threats to Explorer so its interesting to see that Chrome has some security issues.
He raises a good point, but you still need to install the plugin for it be effective, not so? This doesn’t happen very often in my world, so there will have to be some seriously large carrot associated with the plugin…