Andrea Grech, a programmer claims that he wrote a plugin / extension that could steal login IDs and passwords of the users who installed it. He will receive their facebook and twitter passwords and IDs in an email from the plugin.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.
Update From The Original Blogger : This is not just Google Chrome, and…
Some have also commented as regards me demonstrating this on Google Chrome. Yes, other browsers can also be ‘vulnerable’ to this technique but I chose to try this on Google Chrome because it has apparently been dubbed as ‘the safest browser available’, and I’m not denying that. I wanted to make users aware that although Google Chrome is, undoubtedly, a safe browser to use, they should still be careful about what they install on their browsers and not blindly trust anything.
photo by orrange