A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
  • argv_minus_one@beehaw.org
    7·
    10 months ago

    Well, yeah, of course they can. They can read the entire DOM, including the value of password fields. Were you expecting otherwise?

  • wizardbeard@lemmy.dbzer0.comEnglish
    3·
    10 months ago

    There’s a bit of crying wolf here, as the problem is that extensions can access input fields that may be password fields (actual problem with extension access rights), and secondarily the researchers found sites storing passwords in plaintext in the page source (nothing to do with extensions having too much rights and everything to do with those sites being garbage).

    Anyway, didn’t Chrome change how their extensions worked around a year ago to make them more secure and limit their access?

    Thought it caused problems for ad-blockers. Guess it really was all about kicking adblockers and not a single bit about security for users.