0

May be i understand something wrong?

How is this possibly allowed to access to all cookies from an extension?
Does it mean, that any extension potentially can steal all of the cookies as simple as that?
I'd assume that chrome.google.com support is checking each extension and each update to make sure there is no such dangerous things, but I have experience developing extensions and it looks like extension updates are moderated automatically. So, does all of this mean, that it's possible for any extension to steal all of the cookies data and send it anywhere?

stkvtflw
  • 12,092
  • 26
  • 78
  • 155
  • No. The user grants permission at install. Any extension that has permission to access all your site data can, others cannot. https://developer.chrome.com/extensions/permission_warnings – Daniel Herr Oct 15 '16 at 20:53
  • 1
    ok, i can rephrase it: is it possible, to steal cookies after asking for permission? i use adblock, it has permission, i use cookie manager - it has permission. Do these extensions able to steal my cookies? – stkvtflw Oct 15 '16 at 21:10

1 Answers1

3

As answered in the Chromium Projects - Cookies API:

A malicious extension could steal cookies from sites the user visits. The API also exposes HttpOnly cookie data to the extension. However, it is already possible to obtain cookies and to generate HTTP requests from a Chrome extension by using content scripts, so these new APIs don't expose any new vulnerabilities.

Solutions given in this SO post and chrome.cookies documentation might also help.

Community
  • 1
  • 1
Teyam
  • 7,686
  • 3
  • 15
  • 22