Chrome extensions can steal passwords from websites
-
A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
— https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/TL;DR
For our germans
see https://www.golem.de/news/gmail-facebook-und-mehr-chrome-erweiterungen-lesen-passwoerter-im-klartext-aus-2309-177329.htmlThe real problem is that password field cintent are readable if the type attribute in HTML of website is changed by the extension.
And Chrome extensions which have access to the website's HTML code in the browser (the DOM) can read them by JavaScript and steal them.Bad.
Some of these vulnerable sites:
gmail.com
cloudflare.com
facebook.com
citibank.com
irs.gov
capitalone.com
usenix.org
amazon.com -
And that is always a problem when a extension ask a user installing/running a extension to access this or that; most of them do not know the security/privacy implications.
-
Appropriate to this also this extension, mentioned by @Patduck:
https://forum.vivaldi.net/topic/89883/little-rat-extension-network-monitor-blocker
-
Luckily I never use extensions and will never do so.
-
Certainly fewer and fewer extensions are needed in Vivaldi, in fact, most of the extensions in the Chrome Store are already redundant in this browser.
Even so, I use some extensions that are useful to me, respect privacy and image Tools.
In general it can be said that, if extensions are used, they should be limited to those that are OpenSource, because these are the ones that normally cause the least problems.
Refrain from those that do not show their Homepage in their Store listing and/or do not have an identifiable author. Read also the PP.>Laptop ACER, AMD Ryzen, GPU AMD Radeon RAM 16GB, SSD 512GB -Win11 Home 64 v24H2| Vivaldi last stable|
-
@Catweazle This is another thing I don't understand. Extensions. They strike me as a net hazard, not a net benefit. And why load up your browser's use of RAM and CPU cycles with more dreck? Not to be a tinfoil-hatter, but I think the craving for a pushbutton life where you don't have to think or make any adjustments, is one of the reasons AI is seen as such a danger. It's because we know humans expect everything to be done for us, and done in a custom manner.
-
@falconeer, well, it's relative. I don't use extensions if it don't apport advantages for my tasks, e.g. I use the Site Bleacher Extension, it's FOSS and delete all data from the websites I visit over the day (a lot), except from the whitelisted ones. That maintan clean the browser and also the system, avoiding unneeded caches, serviceworkers, local storages, WebSQLs and other crap. This avoid more amont of data than the few bytes the Extension has.
The same with the others with scripts that do not influence performance at all, but provide functions that I often need and that Vivaldi, at least for the moment, does not have. Nothing to do with a tinfoil hat, but this depends on each person how and why they use the browser.
There are no problems with extensions, if you use them with common sense and for what you really need, from reliable and verified sources.
-
Thank you very much for your valuable advice.
