When a Chrome extension says "It can read and change your data on the websites you visit", can they read the passwords you enter?
5,607 views
Skip to first unread message
Nidal Barqawi
Jul 13, 2017, 9:48:07 AM7/13/17
to Chromium-Extensions-Announce
When a Chrome extension says "It can read and change your data on the websites you visit", can they read the passwords you enter?
Decklin / Deco
Jul 19, 2017, 4:54:32 PM7/19/17
to Nidal Barqawi, Chromium-Extensions-Announce
Potentially but most probably not. It's that most extensions assign the "*" permission for reading, most entries for passwords are encrypted so it is unreadable - the warning is just used to inform the user, so there is no need to worry.
On Thu, Jul 13, 2017 at 2:48 PM Nidal Barqawi <product...@gmail.com> wrote:
When a Chrome extension says "It can read and change your data on the websites you visit", can they read the passwords you enter?
--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5fccc376-4a09-4632-97a1-1acda92b2ea0%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
PhistucK
Jul 20, 2017, 4:02:33 AM7/20/17
to Decklin / Deco, Nidal Barqawi, Chromium-Extensions-Announce
What makes you think that most passwords are encrypted (on the client, that is, since extensions operate on the client)?
If the user enters a password, such an extension certainly can (whether it does or does not, is what makes it malicious/a password manager, or not ;)) read that password - yes.
☆PhistucK
On Wed, Jul 19, 2017 at 11:54 PM, Decklin / Deco <decklin...@gmail.com> wrote:
Potentially but most probably not. It's that most extensions assign the "*" permission for reading, most entries for passwords are encrypted so it is unreadable - the warning is just used to inform the user, so there is no need to worry.
On Thu, Jul 13, 2017 at 2:48 PM Nidal Barqawi <product...@gmail.com> wrote:
--When a Chrome extension says "It can read and change your data on the websites you visit", can they read the passwords you enter?
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-extensions@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5fccc376-4a09-4632-97a1-1acda92b2ea0%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-extensions@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABcX4UdYL2%3DL_U8auB0FCAnYQOwKPLGOYd4MtPySmtGVh9vctg%40mail.gmail.com.
Amir Hameed Codehopper
Jul 20, 2017, 5:49:56 AM7/20/17
to PhistucK, Decklin / Deco, Nidal Barqawi, Chromium-Extensions-Announce
I think with Content script it can read input fields and hence can see what is the password.
On Thu, 20 Jul 2017 at 13:02 PhistucK <phis...@gmail.com> wrote:
What makes you think that most passwords are encrypted (on the client, that is, since extensions operate on the client)?If the user enters a password, such an extension certainly can (whether it does or does not, is what makes it malicious/a password manager, or not ;)) read that password - yes.☆PhistucK
On Wed, Jul 19, 2017 at 11:54 PM, Decklin / Deco <decklin...@gmail.com> wrote:
Potentially but most probably not. It's that most extensions assign the "*" permission for reading, most entries for passwords are encrypted so it is unreadable - the warning is just used to inform the user, so there is no need to worry.
On Thu, Jul 13, 2017 at 2:48 PM Nidal Barqawi <product...@gmail.com> wrote:
--When a Chrome extension says "It can read and change your data on the websites you visit", can they read the passwords you enter?
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5fccc376-4a09-4632-97a1-1acda92b2ea0%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABcX4UdYL2%3DL_U8auB0FCAnYQOwKPLGOYd4MtPySmtGVh9vctg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABc02_JVXBQ3nMTimfThuxPezWLuCm5YXcYsW9K%3D%2Bvqm_QogaQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
--
Regards
Amir Hameed
Thomas Gallagher
Jul 20, 2017, 11:00:44 AM7/20/17
to Chromium-Extensions-Announce
A Chrome extension, by injecting a content script, can read any password you enter by listening for keystrokes or reading input fields.
However, this is not specifically related to the warning you mentioned, which is a general permission for the extension to operate on web sites - a permission which can be abused of course but is also required by many, if not all, legitimate extensions.
If you have any critical passwords, you can always keep extensions disabled until you need to use them. This will prevent any abuses that might occur.
Reply all
Reply to author
Forward
0 new messages