Update – The developer in question has updated his original blog post with new information and some disclaimers. Read it here first.
We hate to scare you on Friday right before a good weekend, but this story is alarming enough that you need to hear about. Before we proceed, know that this exploit is out in the open, be extra careful when you install any Chrome plugin; you may be at risk.
The exploit, developed by programmer Andreas Grech, employs a plugin coded using jQuery to track users’ login information and have it emailed to himself. He claims that he has tested the plugin, and that it has been successful against Twitter, Gmail, and Facebook. In his own words:
The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
If you doubt his statements, he has included the code for the plugin on his website.
In some way, we all owe Mr. Grech a thank you for finding the flaw and proving its existence. Now that this is well known, Google can plug the hole and restore peace of mind to its millions of users.
For now, only install plugins from people you know and trust, this exploit is dangerous.
That guys is just a linkbaiter. This is not any news and not applicable to Chrome plugins explicitly. Any software – on your phone, browser, OS, etc should be from a credible source, but I agree that Google, Mozilla, and others should do things differently. Given Google has only done a great job with Android, a similar approach should be applied to browser plugins. Just like with Facebook, when you add an app, it asks the user to review and grant access to different data points and services. Android apps follow the same principle. The same concept should be applied to browser plugins and extensions.
The reason for the post was to demonstrate that such things can be done.
Since when is it wrong to remind people about security and to be careful about installing 3rd party applications?
Surely it can be done with other browsers but I demonstrated it with a Google Chrome extension.
“Since when is it wrong to remind people about security and to be careful about installing 3rd party applications?”
It isn’t wrong to inform people, but to hype it as either a hack, something that trashes security or even an exploit is misleading to say the least.
I never hyped the article. Read my post; you’ll see that I neither said that this is big news nor something that “trashes” Chrome’s security. I didn’t even say that this is an exploit.
Frankly, I think that this has been blown way out of proportion.
Read the article for yourself and you’ll see that I just wrote it to make people even more aware about the issue.
This is applicable to any software you install on your computer. This post states that the “hacker” trashes chromes security. This has nothing to do with trashing security. That is already known from day one. The way this article stated “flaw”, this is no flaw. This is a feature. Yes, extension developers can inject code using content scripts to any page they allow in their manifest. It is up to the user to decide if they want to install that extension. So yes, users should be careful on what extension (programs) they will install on their computer.
Andreas, you are about 15 years too late if you are trying to convince people to not download untrusted 3rd party plugins (or anything that has executive permissions for that matter). I can send a keylogger to my friend running Windows 7. I can tell him that it’s my new calculator test program. HACKER CREATES CALCULATOR THAT TRASHES WINDOWS SECURITY.
This is hardly a “flaw”. The user has to “OK” any extension which requests any elevated permission (such as accessible website data).
All plugins / app stores on all browsers and phones, etc. tend to work this way.
Hey. Here’s a quick question: Why is this news?!
Did he manage to upload it to the official Chrome repository? No? Then why is “installing a dubious and unauthorized application from an untrusted source can harm your computer” a new concept?
I did not try to upload it in the Chrome repository and the reason is that I do not want to try and exploit users with this extension.
I am merely demonstrating that it can be done.
Who seriously thought that it couldn’t be done? You’re “demonstrating” the obvious.
@olleks considering google allows extensions that aggregate stolen/redistributed trial keys for ESET products unimpeded, i think asserting that “they didn’t allow this extension to be submitted” is a bit short-sighted. my guess is that he didn’t *try* to submit it.
This is already exactly what LastPass does, except when it sends your login details, its sending them to their vault, so that you can access them from anywhere. So, not exactly something new – and obviously Google are already aware of this ability from extensions.
Google have the ability to remotely disable any plugins that it has found to be of risk to security, so the minute a flaw in a plugin has been found, it will be disabled.
Amazing http://www.hire-hackers.net !!!! I am surprise how quickly these guys got facebook password hacker for me. I just got the Facebook password hacked in minutes after sending payment through credit card. Very impressed. You did an awesome job and so fast. Highly recommended service of learn how to hack yahoo free. GREAT JOB!!BTW, I found another website which is providing for free a free facebook hacking software and other one specialized in hack into someone’s facebook password, hack facebook account id number.Jordan N. Wilson, Lawton, OKUnited StatesRelated articles:
Nice! Now that’s a nice cracker for you :)
This is not even a news, this is possible with every damn webpage unless and until they seize to exist. I wonder whats wrong with the author.
As I have stated, I wrote the post to show that these things can also be done with browser extensions.
Something particularly wrong with that?
@Andreas: are you going to get the payment from Google? :-)
I’m not sure what kind of restriction a BHO has under IE, but until IE7, it was practically NONE. This “bug” is vastly “exploited” and we’re very aware of it. Most AVs have BHO signatures, and the same applies to Firefox, and others.
However, I agree vendors didn’t take the right approach yet, which IMO would be allowing granular control over data accesses. Moreover, a visible “secure classification” should be presented to the user. There should be at least a “tester bot” on the “plugin center” to check under which circumstances a plugin opens a connection, to which host/port, if it accesses sensitive information, etc. Gathering all this informations would allow vendors to classify and expose what kind of data each plugin accesses, and if it could cause any harm by exposing sensitive user informations. Of course it is not as easy as it sounds, because many factors and conditions could difficult this work. Although, I think it’s a good scrap for the beginning.
More ideas? :-)
s/scrap/draft/
Jardel, payment for what exactly? I know you’re just taking the piss, but come on people; this is getting way out of proportion now…
But as you have said, for the moment, vendors are not taking the right approach at the issue, so I think making everyone more aware about the situation isn’t such a bad idea.
@Andreas: Google has a vulnerability reward program. But right, my question has a bit of sarcasm.
People failed to realise this post is written by Alex, and you’re defending your article, not his. Congrats for YOUR post btw :)
Is this the definition of an extension? This isn’t anything surprising….
Trolls get to write their own articles on tnw now?
If you let someone insert Javascript into webpages you’re viewing, they can potentially grab the information on it and pass it on to others. Wow. That’s such a revelation.
And if you even let someone insert functionality into your browser itself, they can pass on even more information OMIGAWD!
To call this an exploit, a trashing of security, or even a Friday afternoon scare demonstrates that the author has either a very poor command of browser technology, he was born yesterday and everything is new and exciting, or he’s terrible at trolling.
Why has this “story” been written? Moreover, why is the title written to scare people?
If my mom had a tech blog, this is the kind of article she would write.
Is case there was any doubt prior to this article being written: programs and their extensions have access to the data they manipulate. You shouldn’t ever install anything from a source you can’t trust completely.
As I have said earlier on, since when is it wrong to remind people about the dangers of installing 3rd party applications?
It is because your stating that this is a “flaw” and your “trashing” chromes security. Those words state that you are stating Chrome’s security is incorrect, and some users will think that way. If you reworded your article and stated “Installing 3rd party extensions is dangerous in Chrome” then it is a better topic. But as it is now, it seems you are really trashing it.
Did you even read my blog post?
In my post, I have neither stated Chrome has “incorrect” security nor have I said that I “trashed” anything.
Please take some time and read my post before commenting any further. The article on this website was written by Alex Wilhelm, and I am not Alex Wilhelm.
@ Andreas, thanks for the article. Tho some here are asking so what’s the point in this? You are just telling us what we already know, that when you start adding apps or plugins from all over you MIGHT be infected with something or worse. I am actually relieved to read this since I use Chrome a lot but I rarely dl any plug ins unless it’s something like translator or the dictionary. Same as in Face Book. I don’t accept every app that comes my way. All this article was for people, was to show how easy it is for someone to use Chrome’s plugins against clueless users to access their data. It may not be new news. I like to call it a friendly reminder ;)
Ameena, thanks for your comment.
Too bad many people expected something “revolutionary”. My blog is not a news website, and I post whatever I feel interesting.
In my opinion, this was interesting and so I posted it. Anyone who feels that this is “common sense” for their tastes should just skip it and move on to something else.
google was “we wont alow plug-ins in my browser because its dangerous for the users”
and the sers were “we dont give a sh*t about our own security, we will use firefoz unti you get us funny plug-ins”
and google was “if you want so, now you cant complain anymore because you asked for a security exploit in your browser”
and now everyone thinks that chrome is sh*t, just because the competition forced google to put plug-ins, so we wouldnt loose users
end
Just leave him alone. He didn’t make it out to be a big deal but all of you seem to be picking on him.
He hasn’t tried to exploit anyone/anything and hasn’t laid claim to being the first to do it or that its big news.
Jake, thanks for your comment.
At least now I know some people got the point of the article, because apparently many have mistaken my blog as a News website :/
You guys are all dumbshits. Chrome’s extensions API gives extension coders full access to the HTML DOM. Obviously, extension creators can do whatever-the-hell-they-want with your shit. Just don’t be a moron and check extensions before you go install every single one.
Screw this, this ain’t news.
“Just don’t be a moron and check extensions before you go install every single one.”
Although the way you put it is very arrogant and cocky, that is the whole point of my post :-)
Thing is, the best way to convey such is with examples and that’s what I did in my post; I demonstrated an example of how such activities can happen. That way, people truly believe that these threats are real.
This is just bogus. We owe him a shit. This kind of “exploits” can be applied to almost every browser or software in general that handles private data and has a plugin interface.
I doubt google will fix this, because there is no way to shut down this feature without affecting other, proper plugins as well.
Not everybody knows this stuff, so it’s good information. People always assume that things are safe, but from one day to the next, things can change – some developers where white and black hats.
Thanks for bringing this to our attention. Kudos to Andreas and Alex.
Because it’s built on web kit who’s to say this can’t happen in Safari?
Andreas isn’t claiming this is the next big security threat to Chrome, nor is it. In the end, it comes down to users just making sure people know what they’re installing. Just like how parents tell their kids to not eat stuff off the floor and to not play with black widows.
The real idiots here are all the people who blogged about this and turned it into sensationalist bull. I mean, if I were to put up a hypothetical post proclaiming simple DOM access as “Hacker Creates Plugin That Trashes Chrome’s Security,” no developer or tech geek would ever take me seriously again.
…Oh, hi there.
“In the end, it comes down to users just making sure people know what they’re installing.”
Yes, exactly my point. I have shown that such malicious activities can also be done with browser extensions. I never hyped this is *mega* news or anything…it isn’t even news; my blog is a technical blog, not a technical news site.
Hopefully, with the popularity of this article, it reached out to some people to make them think twice about 3rd party applications.
I have now posted a second follow up on my post: http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html#update2
In this follow up, I mention a Mozilla article published yesterday which talks about an add-on that has been discovered yesterday, that has been intercepting login details during this last month.
Interesting! It makes a lot of sense with me and it was such a big help. I had also fun reading your post. Thank you. Prams Sale Dublin
blah