alt Hacker NewsBrowser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
Replies
drdec • today at 1:41 PM
Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.
➕ show 1 reply
It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.