cross-posted from !google@lemdro.id

Original source: https://arxiv.org/pdf/2308.16321.pdf

  • Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.
  • A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.
  • The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.
  • Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.
  • Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.
  • @Creesch@beehaw.org
    link
    fedilink
    71 year ago

    I am not quite sure why there are all these bullet points that have very little todo with the actually issue.

    Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome’s latest security standard, Manifest V3.

    I am not sure how Manifest V3 is relevant here? Nothing in Manifest V3 suggests that content_scripts can’t access the DOM.

    The core issue lies in the extensions’ full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords.

    I’d also say this isn’t directly the issue. Yes, content_scripts needing an extra permissions to be able to access password input fields would help of course.

    Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields.

    Yes… because accessing the DOM and interacting with it is what browser extensions do. If anything, that 12.5% feels low, so I am going to guess it is the combination of accessing the DOM and being able to phone home with that information.

    A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability.

    This, to me, feels like the core of the issue right now. The behavior as described always has been part of browser extensions and Manifest V3 didn’t change that or made a claim in that direction as far as I know. So that isn’t directly relevant right now. I’d also say that firefox is just as much at risk here. Their review process over the years has changed a lot and isn’t always as thorough as people tend to think it is.

    Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions.

    “A javascript library” is not going to do much against content_scripts of extensions accessing the DOM.

    The alert system seems better indeed, but that might as well become browser extension permission.

    To be clear, I am not saying that all is fine and there are no risks. I just think that the bullet point summary doesn’t really focus on the right things.

    • @dan@lemm.ee
      link
      fedilink
      English
      41 year ago

      I am not sure how Manifest V3 is relevant here?

      Because they literally tout security as one of the primary reasons for forcing it onto people.

      https://developer.chrome.com/docs/extensions/mv3/intro/

      The first line is “A step in the direction of security, privacy, and performance.”

      https://developer.chrome.com/blog/mv2-transition/

      “Manifest V3 is more secure, performant, and privacy-preserving than its predecessor.”

      It’s the first thing they say.

      If it doesn’t prevent a malicious extension from lifting your password in perhaps the most dumb and naive way I can think of, then it seems fairly disingenuous to describe it as “secure”.