undefined | Better HN

0 pointsorliesaurus8y ago0 comments

yes obviously, but in a real world scenario how would that work? Malicious extension loads the CSS file in my current tab and sniffs my password on the attacker's server? Can Chrome extensions load CSS without me having to click/activate them?

0 comments

3 comments · 2 top-level

maxchehab8y ago· 1 in thread

Yes they can. This attack does not have to be carried done through a chrome extension. I simply chose that because it is the easiest to show off. This can be hidden inside of a malicious npm module or injected into a website that has poor input sanitization.

The most important aspect of this attack is that it is carried out through css. It is possible to block remote javascript code from an extension, in fact, if one wanted to inject javascript into https://instagram.com (my example on github), they would fail.

orliesaurusOP8y ago

Thanks OP - that answers it!

bfred_it8y ago

The extension is just a way to inject this demo into any site, but extensions that you install can run JavaScript in any site they're allowed to, so this "hack" isn't necessary in that case.

j / k navigate · click thread line to collapse