Hacked: Google Chrome’s Security has been Compromised

By | July 10th, 2010

Believe it or not, programmer Andreas Grech has made a Chrome Plugin (third-party extensions) that can fetch and users’ login information and send him as an email. He has been successful in fetching email IDs and passwords against them for websites like Twitter, Gmail, and Facebook. Andreas says:

hacker Hacked: Google Chrome’s Security has been Compromised

The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.

By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.

The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.

Andreas Grech, the hacker, has provided source code and a step by step guide in his blog to show you the flaw in Chrome. His intentions are pure and just to spot the massive security flaw in the browser. A piece of advice: Until Google comes out with the fix, only install plugins from renowned people and websites.

Via thenextweb

  • http://stijndewitt.wordpress.com/ Stijn de Witt

    Hardly a proof of concept. This is a normal feature for extensions. Most plug-ins and extensions for other browsers are probably able to do a lot more such as steal the passwords users have stored inside the browser.

    It would really be news if someone had not only written an add-on that would do that but also got it onto the site of the original publishers of the browser, such as in this example:

    The same goes for add-ons as for normal software: Only install it if you know where it comes from and you trust the publisher. When you install software it is comparable to letting someone into your house or company building. From there they can really help you and do useful work for you, but they are also in a position to hurt you. You must make sure it's not a spy or axe-murderer you are letting in. ;-)

  • http://knowledge-aholic.blogspot.com/ Andreas Grech

    Technically, it does not “steal” credentials that are stored inside the browser. What the plugin does is intercept form submissions and sends the inputted details before they are transferred.

    As regards the proof of concept, I only demonstrated that it can be done. Showing users concrete examples can make them more aware of the dangers in installing 3rd party applications. Sure, the plugins come with a warning before installing but in reality, the majority just completely disregard it and install anyways.

    The reason I did not try and hide this technique inside a functional plugin and upload it to the Chrome Repository is because my intentions were not to steal login credentials; it was merely to show that it can be done. Can it be integrated with a full functional plugin? Sure. Just take a look at Mozilla Sniffer and how many people downloaded it.

  • Pingback: Stealing login details with a Google Chrome extension | ALL ABOUT CHROME