Extensions Can Steal Plaintext Passwords


atinfo

atinfo

Well-known member
Power User
VIP
Local time
12:12 PM
Posts
1,171
OS
Win 11 Enterprise
www.bleepingcomputer.com

Chrome extensions can steal plaintext passwords from websites

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
www.bleepingcomputer.com www.bleepingcomputer.com

Does it mean saved passwords (in Edge/Chrome) are not in a safe place?
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD
atinfo said:
www.bleepingcomputer.com

Chrome extensions can steal plaintext passwords from websites

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
www.bleepingcomputer.com www.bleepingcomputer.com

Does it mean saved passwords (in Edge/Chrome) are not in a safe place?
Click to expand...


The "saved passwords" (in the browser), are OK. The article says that the extensions can grab passwords from "websites" that store passwords as plaintext.

Actually the article doesn't mention saved passwords in the browser at all. It's only referring to websites that store passwords as plain text. It doesn't say how the browser stores the passwords.

I guess the safest option would be to not run any extensions, until they get this worked out.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26100.3194 ♦♦♦♦♦♦♦24H2 ♦♦♦non-Insider
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Saved Passwords in Edge are encrypted, if you want to export your saved passwords to a file for backup purposes you will be warned that the export will be plain text if you proceed.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2, build: 22621.521
    Computer type
    PC/Desktop
    Manufacturer/Model
    Scan 3XS Custom 1700
    CPU
    Intel i7-12700K 3.6GHz Base (5.0GHz Turbo)
    Motherboard
    Asus ProArt Creator B660 D4
    Memory
    64GB DDR 3600Mhz
    Graphics Card(s)
    Asus Tuff RTX 3080 10GB OC
    Sound Card
    Onboard Realtek
    Monitor(s) Displays
    Gigabyte G32QC 32inch 16:9 curved @2560 x 1440p 165Hz Freesync Premium Pro/ Dell SE2422H 24inch 16:9 1920 x 1080p 75Hz Freesync
    Screen Resolution
    2560 x 1440p & 1920 x 1080p
    Hard Drives
    WD SN570 1TB NVME (Boot), Samsung 870QVO 1TB (SSD), SanDisk 3D Ultra 500Gb (SSD) x2, Seagate 3Tb Expansion Desk (Ext HDD), 2x Toshiba 1Tb P300 (Ext HDD)
    PSU
    Corsair RM1000X Modular
    Case
    Corsair 4000D Airflow Desktop
    Cooling
    Corsair Hydro H150i RGB Pro XT 360mm Liquid Cooler, 3 x 120mm fans, 1x Exhaust
    Keyboard
    Microsoft Ergonomic
    Mouse
    Logitech G402
    Internet Speed
    800Mbs
    Browser
    Edge Chromium
    Antivirus
    Defender, Malwarebytes
Ghot said:
The "saved passwords" (in the browser), are OK
Click to expand...
DigitalGoat said:
Saved Passwords in Edge are encrypted
Click to expand...
Sorry but at least one readily available tool can retrieve all passwords from Edge in plain text even if they are protected by the 'primary password' facility.
It failed in its attempts to do the same with Firefox passwords protected by its 'primary password' facility. I have yet to find a tool that can work with Firefox but I would not be at all surprised to discover that one exists.


Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Ghot said:
Actually the article doesn't mention saved passwords in the browser at all. It's only referring to websites that store passwords as plain text. It doesn't say how the browser stores the passwords.
Click to expand...
Thanks :thumbsup:. I thought that if users enter their password in the sign-in box (like Gmail), it would be revealed as plain text for extensions!

Ghot said:
The "saved passwords" (in the browser), are OK. The article says that the extensions can grab passwords from "websites" that store passwords as plaintext.
Click to expand...
As far as I can remember, FF had an extension (there was also an app) which could grab all saved passwords! I am sure the passwords (saved passwords in Edge/Chrome) are easily accessible, even for cookies!

Ghot said:
I guess the safest option would be to not run any extensions, until they get this worked out.
Click to expand...
I banned some of the extensions access to all URLs I visit (they will enable just for specific URLs). I'm wondering, why MS/Google doesn't implement permission access (like Android apps) options for extensions. An extension has to show what permission they have, and users should have a choice to let them access storage, passwords, and all URLs or not.
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD
I'm just "guessing" what the article means.
I don't use any extensions in Firefox. And I don't use any other browser.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26100.3194 ♦♦♦♦♦♦♦24H2 ♦♦♦non-Insider
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
So no-thanks.
 

My Computer

System One

  • OS
    Win 11 Enterprise
    Computer type
    Laptop
    CPU
    i7
    Hard Drives
    SSD
You must log in or register to reply here.

Similar threads

Chrome and Edge users infected with malicious browser extensions that steal your personal data — what to do now
Replies
0
Views
445
Wolfzz
Wolfzz
  • Article Article
Enhancing security of Microsoft Edge Extensions with new Publish API – What’s next?
Replies
0
Views
117
Brink
Brink
  • Article Article
Microsoft Autofill Chrome Extension is being retired on December 14, 2024
Replies
0
Views
259
Brink
Brink
Solved Disable Microsoft Edge blocking of downloads of certain file extensions (xml, ps1, reg)
Replies
8
Views
8K
AsadAlrafidain
A
  • Article Article
You can now save passkeys to Google Password Manager in Chrome on desktop
Replies
0
Views
373
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom