Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on July 9, 2010

    Hacker Creates Plugin That Trashes Chrome’s Security

    Hacker Creates Plugin That Trashes Chrome’s Security
    Alex Wilhelm
    Story by

    Alex Wilhelm

    Alex Wilhelm is a San Francisco-based writer. You can find Alex on Twitter, and on Facebook. You can reach Alex via email at [email protected] Alex Wilhelm is a San Francisco-based writer. You can find Alex on Twitter, and on Facebook. You can reach Alex via email at [email protected]

    Update – The developer in question has updated his original blog post with new information and some disclaimers. Read it here first.

    We hate to scare you on Friday right before a good weekend, but this story is alarming enough that you need to hear about. Before we proceed, know that this exploit is out in the open, be extra careful when you install any Chrome plugin; you may be at risk.

    The exploit, developed by programmer Andreas Grech, employs a plugin coded using jQuery to track users’ login information and have it emailed to himself. He claims that he has tested the plugin, and that it has been successful against Twitter, Gmail, and Facebook. In his own words:

    The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.

    By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.

    The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.

    If you doubt his statements, he  has included the code for the plugin on his website.

    In some way, we all owe Mr. Grech a thank you for finding the flaw and proving its existence. Now that this is well known, Google can plug the hole and restore peace of mind to its millions of users.

    For now, only install plugins from people you know and trust, this exploit is dangerous.