this post was submitted on 09 Sep 2023
22 points (95.8% liked)
Linux and Tech News
1017 readers
29 users here now
This is where all the News about Linux and Linux adjacent things goes. We'll use some of the articles here for the show! You can watch or listen at:
You can also get involved at our forum here on Lemmy:
Or just get the most recent episode of the show here:
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
TLDR of sorts
To test Google's Web Store review process, the researchers decided to create a Chrome extension capable of password-grabbing attacks and try to upload it on the platform.
The researchers created an extension posing as a GPT-based assistant that can:
The extension does not contain obvious malicious code, so it evades static detection and does not fetch code from external sources (dynamic injection), so it is Manifest V3-compliant.
Notable website examples of lack of protections highlighted in the report include:
Finally, the analysis showed that 190 extensions (some with over 100k downloads) directly access password fields and store values in a variable, suggesting that some publishers may already be trying to exploit the security gap.
That's the scary bit. This field has been accessible for quite some time...