Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help. “Whose problem is this on the whole?” Johansen says, noting that both Google and extension makers may have a responsibility to protect against the attack. A hacker would just have to wait until the user opened a new tab. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn’t protect a user from a hacker who got in through a malicious extension, the researchers say. This allowed them to see the password information that LastPass inserted. The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS. The researchers say there’s no way to block this threat because anyone can make an extension, and Google doesn’t review them before they’re made available to users. They could be disguised, for example, as ways to get images of pop stars. They also showed that it’s possible to build malicious extensions. The researchers found that many existing extensions had broad permissions, and were vulnerable to cross-site scripting. But researchers say they can also open the system to security threats. Threat extension: Chrome OS relies on browser extensions, shown here, to add full functionality to the operating system. As such, someone could use them to steal usernames and passwords, cookies, and browsing history information, including information that comes from sites that don’t have vulnerabilities themselves. The researchers found that extensions can get broad access to what’s going on in users’ browser tabs. These aspects should make it less vulnerable to viruses and other threats. If a malicious piece of software tries to get onto a Chrome computer, Google can remotely restore the operating system to a pristine state. The system is also automatically updated, and little is stored on the user’s computer. Since applications run on the Web, users won’t run out-of-date software, which commonly leaves them open to security vulnerabilities. Google has touted Chrome OS as a revolutionary approach to computing, and emphasized its security. While the specific vulnerabilities they exploited can be closed, the researchers say there is no way to block the broader threat. By using the operating system’s Web-based design against itself, the researchers were able to get access to users’ names and passwords, and even banking information. I have no idea why LastPass would use the username/password from the history instead of the current settings.Today at Black Hat, a computer security conference in Las Vegas, researchers described how they were able to steal data from Chrome OS, an operating system built by Google that requires the user to do almost everything via the Web. Recreated the entry for the site (You can do that simply by going to the site and logging in with the correct username/password and LastPass will ask you if you want to add it.)Īfter that, the wrong username/password were no longer auto-filled into fields on the site. Completely deleted the entry for the site from my LastPass vault (clicked on the trash can icon at the bottom of the entry) Took note of my current username and password I could not figure out how to delete the history at that point. When I looked there, sure enough, there was the old username. It can be displayed by clicking on the icon that looks like a clock with an arrow around it above the username or password fields. So, where was the old data coming from? After some more frustrating searching, I discovered that LastPass keeps a history of your usernames and passwords. When I looked at the entry in my vault, it was correct. However, I wanted to know where that username/password was coming from. After a few frustrating hour trying to figure out if the incorrect data was coming from Chrome, LastPass, or something else, I finally determined it was indeed coming from LastPass. It wasn't a big deal because I could just select the correct login from the LastPass drop-down and it would fill in correctly. Whenever I would try to sign into, the username and password fields would be automatically filled in with a username and password I haven't used in years. I couldn't find a simple straightforward answer to this issue so forgive me is this is a duplicate of another entry.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |