by TonyLiberty
BEWARE — Google Chrome extensions can steal your passwords.
ONLY install extensions from trusted developers (You can check the developer’s website and read reviews from other users to get a sense of their trustworthiness)
Be careful about the permissions that you give to extensions. Only give extensions the permissions that they need to function. If an extension asks for permissions that it doesn’t need, don’t install it.
Researchers at the University of Wisconsin-Madison discovered that ~17,300 extensions on the Chrome Web Store (about 12.5%) have permissions that allow them to extract sensitive information from websites.
The Researchers also created a proof-of-concept extension that was able to pass Google’s Web Store review process and was accepted into the store. The extension was able to steal passwords from a number of popular websites, including Gmail, Cloudflare, Facebook, Citibank, the IRS, Capital One, and Amazon.
The researchers say that the problem is due to the way that Chrome extensions work. Chrome extensions have unrestricted access to the DOM tree of websites they load on, which allows them to access potentially sensitive elements such as user input fields.