A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
Isn’t this exactly how LastPass and other password managers work? I did not read most of article because it looked complicated.  but is this new information?
From my reading, yes, that’s how the others work, too. Extensions can grab passwords from the password field itself before you get to submit them and record them elsewhere.
This bit of information may not be new, but the proof of concept, submitted to Google’s extension store, is. It’s proof you can yank passwords automatically placed there by managers in Chrome using an extension created expressly to do that and served up by Google. And Manifest v3, Google’s new set of extension changes aimed at beefing up security, does nothing to prevent this.
Isn’t this exactly how LastPass and other password managers work? I did not read most of article because it looked complicated.  but is this new information?
I feel like if something like this isnt new information and is not fixed in 48 hours it needs repeating.
But i didnt read the article either and also dont use chrome.
From my reading, yes, that’s how the others work, too. Extensions can grab passwords from the password field itself before you get to submit them and record them elsewhere.
This bit of information may not be new, but the proof of concept, submitted to Google’s extension store, is. It’s proof you can yank passwords automatically placed there by managers in Chrome using an extension created expressly to do that and served up by Google. And Manifest v3, Google’s new set of extension changes aimed at beefing up security, does nothing to prevent this.
Now, the finger pointing ensues.