Reader Doug* sent in this report after reading, “New, free Chrome extension checks for password hacks in real time.”
“Fred …found this in a forum…..a security flaw in the Password Checker extension…from Google…unfortunately it is in German….but perhaps you can further research the security flaw:
https://www.kuketz-blog.de/chrome-add-on-password-checkup-uebermittelt-domainname/
and
https://www.deskmodder.de/blog/2019/02/06/password-checkup-google-uebermittelt-doch-nicht-alles-verschluesselt/ “
Thanks, Doug! Yes, a German researcher looked at the datastream that Password Checker sends, and found that all username/password info is indeed fully encrypted or otherwise screened, as claimed; but the domain of the site you’re logging into is sent in the clear, maybe. (I say “maybe” because the report doesn’t say how they bypassed the innate SSL-encryption to snoop on the data exchange.)
I agree it would be better if all info from Password Checker were fully encrypted because, well, why not?
But I’m not going to worry about a potentially-visible URL: Under normal circumstances, URL info already gets scattered everywhere — recorded in the Browser History; parsed by URL-completion and page-prediction/caching services; processed, translated to IP and handled by various DNS servers, multiple ISPs and every single router along the way. Is Password Checker also knowing the URL really a problem?
And even if it is, does it really add to your risk?
If someone has camped on your connection, broken your SSL encryption, and is monitoring your datastream, you’re already screwed. Password Checker isn’t your problem.
Maybe I’m missing something, but plaintext URLs seem like a very minor thing.
Still, I agree it would be better if all info from Password Checker were fully encrypted. Again, why not?
Permalink: https://langa.com/?p=1961
* Want to ask Fred a question? Have a comment? Click here!
Want free notification of new content like this? Click here!