Maltese developer reveals vulnerability in Google Chrome security

A Maltese software developer has described how he created a plugin for the Google Chrome browser that can watch users’ login information and send that information to him via email.

Andreas Grech used jQuery to write quickcode for the plugin and has been demonstrating the attack as a proof of concept. Writing in a blog, he said he he had tested his system against Facebook, Gmail, and Twitter.

Mr Grech explained how Google Chrome allowed the installation of third-party extensions that were used to extend the browser to add new features. The extensions were written in JavaScript and HTML and allowed manipulation of the DOM, amongst other features.

By allowing access to the DOM, an attacker could thus read form fields…including username and password fields.

"The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection."

Mr Grech stressed that he had not stolen any Twitter, Facebook or Gmail accounts.

"In fact, I didn't even upload this extension to the Google Chrome repository. I have only tried this extension on myself, just to test and see if it works."

See Mr Grech's comments on

http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html