Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Chrome extensions can steal passwords from websites (bleepingcomputer.com)
13 points by talboren on Sept 2, 2023 | hide | past | favorite | 5 comments


> The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on

Ofcourse.

> Your data on all the websites you visit gives access to read, request or modify data from every page you visit (bank account, Facebook).

https://support.google.com/chrome_webstore/answer/186213?hl=...

If extension can modify your dom, well guess what - it can attach event listeners, it can make password to be posted to pastebin and so on.

That's why I don't install extensions that I don't trust that ask for this level of permissions.


Seems like a non-story. This is obviously by design.

Extensions may need to access the DOM, including password and other sensitive fields (e.g. for autofill and password managers).

That's indeed what Google has said in response:

>A Google spokesperson has confirmed that they're looking into the matter, and pointed to Chrome's Extensions Security FAQ that does not consider access to password fields a security problem as long as the relevant permissions are properly obtained.


The problem is that far too often extensions' authors require unnecessary privileges under excuses of need for improvements (usually of doubtful value). And users are used to accepting it...


>A Google spokesperson has confirmed that they're looking into the matter, and pointed to Chrome's Extensions Security FAQ that does not consider access to password fields a security problem as long as the relevant permissions are properly obtained.

This definitely feels like the wrong approach. I think they should be moving towards deprecation of this permission, and replacing it with what the extension actually needs.


Many extensions need full access to the DOM, because their functionality depends on it. Their sole purpose is to manipulate the DOM for various purposes.

That's why it is always a risk to use browser extensions and you really have to trust the people behind the extension.

Obviously, if the browser supports it, the access should be limited to the sites where it actually matters. Like a YouTube ad blocker to youtube.com. Unless you make a living from YouTube. Then you don't want to block ads for ethical reasons as well as security reasons, because it can kill your livelihood.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: