Thousands of Google Chrome extensions would be able to steal your passwords

A major risk, since these passwords could then be used for flights, identity theft and other scams of all kinds. These extensions are not viruses: the problem would actually come from websites themselves, according to researchers from the University of Wisconsin-Madison at the origin of the study.

Google Chrome extensions will have to be hosted on the web store chrome

The web browser Google Chrome continue to suffer from attacks of certain indelicate developers implementing undesirable extensions, allowing for example to insert advertisements in the pages of the fogger, or to capture navigation data.

A problem that Google had already tried to settle in February, with Chrome 25. This version indeed prohibited the silent installation (that is to say without the user being informed) of extensions within the fogger (see “Google Chrome 25 provides voice recognition, cleanses extensions and secures research”).

A visibly insufficient since unwanted extensions with silent installation continued to proliferate. Google engineers decided to raise their tone, announcing that Only extensions hosted on the web store chrome can be installed in stable version and chrome beta.

Reinforced security ..

This decision will not first concern that the Windows version of the application – which remains the most affected by this phenomenon – and will be effective from January 2014.

It will therefore become impossible to install an extension from a third -party site, or from the computer hard drive. Google will be able to better control the extensions installation process, the silent installation of these modules being impossible from the web store chrome.

It should be noted that those who employ a preliminary version of Chrome and those who develop additional modules will be able to continue to install extensions directly from their machine (or a website other than web store chrome).

This possibility will also remain accessible to companies using group rules for internal deployment of their own extensions.

Photo credit: © Google

Thousands of Google Chrome extensions would be able to steal your passwords

More than 17.000 programs available on the Chrome Web Store could record the passwords you write on many sites like Gmail, Facebook or Amazon, according to a study.

If you use Google Chrome, you have probably downloaded extensions, these programs that add many functions very useful to the basic browser. Beware, because they could steal your passwords you.

And it’s not an epiphenomenon. Several thousand of these extensions downloadable on the Google Chrome store would have the necessary authorizations to recover without problem the passwords you enter on websites, according to a study published on August 30 on the Arxiv prepublication site.

A major risk, since these passwords could then be used for flights, identity theft and other scams of all kinds. These extensions are not viruses: the problem would actually come from websites themselves, according to researchers from the University of Wisconsin-Madison at the origin of the study.

Clear readable passwords

A large part of these sites stores passwords you type in their HTML code, and clear. That is to say without any modification and in a perfectly readable manner by a human-or a program.

However, many Chrome extensions can indirectly consult the HTML code of websites, and therefore communicate your passwords, according to the authors of the text relayed by the specialized site Bleeping Computer. Nearly 17.300 extensions, or 12.5% ​​of the total available on the platform, would have this possibility according to the study (which has not yet been read by a reading committee).

To support their conclusions, the researchers tried the experience. They created a chrome extension capable of stealing the passwords of its users according to the method described, and they tried to make it available to users on the Google extensions store.

The program, disguised by assisting virtual offering similar to Chatgpt functions, has passed without problem the procedures for verifying the web store chrome. He could therefore have stolen passwords from all users who would have downloaded it – the researchers explain that they have disabled the collection of this data and quickly removed the application of the Chrome store, but all programmers might not be too ethical.

Sites like Gmail and Facebook concerned

And there are many opportunities: among the 10.000 most visited sites, around 1.100 record the passwords in clear in their HTML code, according to researchers. Big names like Gmail, Facebook or Amazon – and 7.300 others would have similar vulnerabilities.

This technique is already exploited without the knowledge of users? The study authors have identified 190 extensions which already store passwords. With Bleeping Computer, a Google spokesperson said that the company was studying the situation, but recalled that the FAQ of Google Chrome extensions, it is not a security problem as long as the authorizations have been legitimately obtained.