Vulnerability with Google Chrome Extension

Hey Google,

Chrome extension is insecure. It allows developers to collect login information from any website without user’s knowledge.

When a chrome extension is installed, It is on for your browser in every session if there is no background script or page.

One can easily inject a piece of JavaScript code to any site and can collect the login details of any user.

A person who understand a bit of JavaScript, can read all the values entered into the input fields. When you read the value of a password field, it will give you the actual password.

From there on click of submit button making an ajax call to your server to store the page URL, username and Password is like cake walk.

Injecting JavaScript to any website from Chrome Extension must be restricted.

Give your thoughts.

Advertisements