BEWARE — Google Chrome extensions can steal your passwords

by TonyLiberty

BEWARE — Google Chrome extensions can steal your passwords.

ONLY install extensions from trusted developers (You can check the developer’s website and read reviews from other users to get a sense of their trustworthiness)

Be careful about the permissions that you give to extensions. Only give extensions the permissions that they need to function. If an extension asks for permissions that it doesn’t need, don’t install it.

Researchers at the University of Wisconsin-Madison discovered that ~17,300 extensions on the Chrome Web Store (about 12.5%) have permissions that allow them to extract sensitive information from websites.

The Researchers also created a proof-of-concept extension that was able to pass Google’s Web Store review process and was accepted into the store. The extension was able to steal passwords from a number of popular websites, including Gmail, Cloudflare, Facebook, Citibank, the IRS, Capital One, and Amazon.

The researchers say that the problem is due to the way that Chrome extensions work. Chrome extensions have unrestricted access to the DOM tree of websites they load on, which allows them to access potentially sensitive elements such as user input fields.

Uh-oh! It looks like you're using an ad blocker.

Our website relies on ads and the generous support of readers like you to keep delivering free, high-quality content. Right now, we are facing serious funding challenges and we need your help more than ever. Disable your ad blocker and this message will vanish. You can also sign up for a membership to enjoy an ad-free experience while supporting our work: https://citizenwatchreport.com/plans/subscriptions/ Your support helps us stay independent, continue our work, and keep content free for everyone. We truly appreciate your understanding and thank you for standing with us.