33 comments

[ 2.7 ms ] story [ 50.6 ms ] thread
It is an humbling experience the moment when you accept that getting hacked is something that can happen to anyone, including the best of us. No one is too good not to be hacked.
What was the Chrome extension?
Unfortunately, I haven't been able to pinpoint which one it was. It certainly was a dark reader extension, that I can tell.
> open their password manager which also might need you to authenticate, type in their master password, search for the name of the said website, copy the password, paste it in

This is one way to guarantee you'll eventually fall for a phishing attack. Are we really running URL-unaware password managers in the year 2026?

It’s also an issue that extensions like 1Password are _too_ URL-aware, until recently it tried to use heuristics and ignore subdomains for matching credentials. This meant that we used to get a list of almost a hundred options when logging into our AWS infrastructure. No matter which actual domain used. Someone could have used this vulnerability as part of a phishing campaign.
Yes we should run URL-unaware manager, but nearly no one understand security, especially in browser. Let's see the permission asked for the #1 manager in firefox (Authenticator):

  Input data to the clipboard
  Access your data for sites in the dropboxapi.com domain
  Access your data for www.google.com
  Access your data for www.googleapis.com
  Access your data for accounts.google.com
  Access your data for graph.microsoft.com
  Access your data for login.microsoftonline.com
Yep! And #2 (2FAS Auth):

  Display notifications to you
  Access browser tabs
  Access browser activity during navigation
  Access your data for all websites
Even better, maybe at one point web browser can get their sh* together and build better permission system (and not just disable functions like manifest v3). For now the majority of people trust opaque organization shoving them unknown code their run with way too many permissions on their computers.

Talking about unknown code there is a lot of work to be done on reproducible build as anything touching web has nearly nothing about it.

That's a very smug take, especially when you encounter websites every day that don't autofill for whatever reason (As another poster already showed with some examples) or in my case the 1Password extension in Safari failing to connect to the main 1Password deamon or a number of other issues that make this still common place in 2026.

And that's for me, a technical user using a password manager.

>Are we really running URL-unaware password managers in the year 2026?

URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.

The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643

Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.

I'm using Apple's Password Manager (native app on iOS & macOS), but didn't install its browser extension that can do autofill because for me it wasn't as convenient (it has a bad UX, unreliable autofill, etc.)

So, when I'm prompted to log in somewhere, I open the password manager and repeat the steps you just mentioned. It does add extra steps to the process, but I don't think it makes it less safe than having an autofill extension, which requires a ton of permissions and is more prone to compromises. And yes, my manual method also means I have to rely on me being aware of the URLs I'm on, but I usually bookmark my main services, so it's working fine for me this way. I also treat all emails as spam and/or an attack unless I verify them by the domain, and whether I had just recently requested to log in or requested a password change, etc.

At the end of the day, it boils down to us paying attention to every action we take, regardless of the measures we take, as new and different methods are being deployed to own us every day.

Autofill can be an attack vector.

Lookup Dom-based clickjacking. It will "autofill" the field but on submission it sends the data to an attacker.

"The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero.

The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users."

""All password managers filled credentials not only to the 'main' domain, but also to all subdomains," Tóth explained. "An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).""

More info: https://marektoth.com/blog/dom-based-extension-clickjacking/

Originally discussed at DEFCON 33

Not all too long ago I had someone port out my VOIP number. They had it for a few hours. This was after I had spent extensive effort attempting to secure my digital life. VOIP was SIM-swap resistant sure, but I totally missed that port out requests default to failing open.

Thankfully the VOIP operator alerted me and pulled the number back. Then I set a port out code.

Who knows how many other holes I have. I lost my sense of smugness that day.

Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.

TOTP is also trivially phishable.

I still have my sense of smugness because I use SOTA 2fa.

In the moment, it doesn't feel off, that's the most disconcerting aspect. It's the things that don't seem so critical or important that get you as well. Registration on a random site, and for a temporary reason was what got me once. In this case the browser extension seemed almost like an afterthought at the time for the author.
Had a close call:

Apparently it's possible to bypass 2FA and do a password reset of a Google account without email access, if the account owner doesn't abort it within 30 days. I confirmed that it works by "pwning myself" afterwards. So keep an eye on your old Gmail inbox if it matters.

Never heard of this before, and I think the mail Google sends you specifically says it is safe to ignore it if it didn't come from you.

Has this recently changed?

what how does this work
> At this point, I am the old lady who is driving to a Target to buy gift cards and give them to Jared, who is the Amazon Customer Support specialist with a suspiciously heavy Indian accent, waiting on the phone.

It happens to all of us. I always tend to make sure any extension has the sources available (unless requested by work/client), but nowadays with open source supply chain attack, it's just another breakable wall. Even on linux, some long time ago, I caught a trojan (luckily to the extent of my knowledge, it didn't affect anything besides running a crypto mining on my m3 laptop)., disguised as systemd, that was spreading through kodi extensions.

I got hacked late last year. It sucked. Do not recommend.

I'm not going to blog about it, but will at least share how I messed up. Maybe it'll help someone else.

I was phished through Discord. A CEO that I was friends with was phished prior to me and I let my guard down when someone I put on a pedestal reached out to me. The hacker asked me to review a video game prototype they'd been tinkering with in their spare time (the CEO worked in the video game industry) and they came to me because they knew I'd give them "honest feedback." The game's website looked legit enough with AI generated screenshots and boilerplate text.

They also messaged me right around dinner. I had like ten minutes of downtime when the message came in and I immediately shifted to, "Yeah I can bang this request out real quick for a person important to me before dinner arrives." rather than keeping my guard up.

Additionally, I have (or had) two Google accounts. My primary email address is much older and wasn't very business-professional. Over 15 years ago I created a secondary email, that was just my name at gmail, configured it to forward all emails to my first account, and then never logged in to that account again. Naturally, that meant that my primary account had 2FA, but my secondary account did not.

I signed up for Discord using my secondary Google account. So, when I got phished, the hacker assumed that was my primary account and compromised it first.

The way they compromised the account was very quick and efficient. They immediately set parental controls on the account, listed an email address they controlled as the parent, and then changed the accounts age to under 13. Those actions 100% lock an account because all account recovery options must be approved by the parent for children under 13.

Surprisingly, I did get a security notification saying that a suspicion session had been started on my primary email account even through 2FA. I (thankfully) managed to kick the hacker out before they were able to do the same to me. I'm not sure how they got access to the second account.

Laughably, the hacker tried to extort me for only $400 and, when they didn't get it, they pivoted to sending threatening texts then moved on to trying to phish others for quick cash.

Thankfully, I didn't lose much. I lost access to my Discord account and to my Google account, but all my Google data was replicated. I lost a full nights sleep resetting all my passwords everywhere. And I still feel a bit violated and think I always will.

It was really interesting being motivated to interface with the security processes of several hundred companies. Shout out to Kraken and Etsy for having the best security procedures.

Anyway. Just wanted to highlight a scenario which happened. I'm in engineering leadership. I've worked on a computer every day for over 20 years. I use KeePass to store my passwords and generally have fine security hygiene. I do my KnowBe4 training modules, lol.

Sadly the blogpost fails to mention which browser extension was the macilious one that compromised his session tokens.

While quite technical users (a la. this community and devs in general) would be able to inspect the source code of browser extensions to do an audit, most of us don't have time for this, and we just have to rely on the browser add-on number of downloads & reviews as a poor indicator.

It would be really useful to know how this particular extension was rated

> but on a universal level, we're missing a cohesive master plan, in which a user, a human, need not undertake endless and repeated manual fend-off of the devil

This is a very good way of stating the problem in terms anyone can relate to.

> I had one brow raised, a little suspicious, but not very much to initiate a full-scale defense

This on the other hand seems overly superficial. You get your eMarketplace account hacked, then your Twitter account, and you're just "a little suspicious"? My eyebrows would raise all the way to the back of my head after this. Not sure I'd know where to start but I'd be very concerned.

> A few days later, the same thing happened with my TikTok and Reddit accounts. I repeated the previous steps now that I had gotten used to them. This time I raised two of my brows with a little more suspicion. Still not quite there, though.

I mean... This is an incredibly high threshold for getting concerned. The kind that lowers the bar to getting hacked.

Anyone else seeing the blog post briefly before flicking to a 404 page? Safari on iOS 15 here.
Hmm. Maybe I need to install a second browser for sensitive stuff. Or maybe stick that in a vm somehow
my younger brother called me once, which was unusual, so i immediately answered. he was crying, which was new to me as well, and told me that our mom's laptop he had been using to game on was hacked, and that he was now being extorted live in a discord call.

asked him to shutdown the laptop immediately and add me to the call, to which he replied, "they sent me our postal code and told me if i told anyone or turned the laptop off, they're going to send someone to hurt me."

that's when i realized why he was panicking so much, to me who was 10 years older that was an obvious scare-tactic, he was a young, naive teenager so he was legitimately scared for his life.

was able to calm him down, he added me to the call, and turned the laptop off. i was surprised that the hackers in question were 3-4 french teenagers, incredibly rude and aggressive. they didn't care that they weren't able to ruffle my feathers, they just constantly asked for bitcoins, said they'd hurt our mom etc.

when i refused and just didn't engage they started posting our mom's tax returns and other files from her laptop, that's when i realized that they did indeed exfiltrate data.

immediately packed my bags and took the next train to meet mom and brother. we spent the afternoon rotating e-banking passwords etc.

while doing this, the hackers did try to login to her paypal and they actually got into my netflix account.

turned the wifi off at home to boot the laptop back up, wanted to try to retrace their steps. i did find out what kind of stealer they used and was able to sleaze my way into a secret discord server they used to organize, but it was temporary and they had already left. so i just wiped the laptop and reinstalled windows.

apparently these guys had promised my brother to optimize his PC so that Fortnite would run better, he let them connect via AnyConnect or TeamViewer, don't exactly remember. they did some legit debloating stuff etc., but also let a stealer run in the background. apparently these guys had spent some weeks in the discord server my brother was in to establish trust.

to this day i haven't felt as much rage again. seeing my young brother in such a distressed state, realizing that all of my mom's data, childhood pictures etc. were stolen made me angry to a point i've never felt, i legitimately wanted to find out who these guys were and hurt them as much as i could. of course we all calmed down again and realized there's nothing we could do other than rotate PWs and observe logins.

police said there's nothing they could do (didn't expect it anyways, but worth a try), discord ignored me when i reported the hacker's accounts. typing this out again makes me angry again, interestingly enough. it's been two years, almost forgot that this ever happened.

> TikTok deemed I should not have access to my account ever again, and X (formerly Twitter) is delaying a response to my appeal to the suspension, but I have not much hope; I reckon it's gone for good. I may have lost all the personal contacts and content from there, but on the bright side, that has taught and made me see some other things, besides the importance of being a little smarter to not blindly install extensions like my life depended on it.

Well, losing access to both TikTok and X could be considered a bright side as well. But more seriously, isn't it tragic that you can't just blindly assume any piece of OSS isn't malware, anymore?

Great article on reminding the risks of browser extensions. They literally have access to everything within the browser window, from usernames and passwords to bank account details.

Funnily I always tempted by extensions that offer dark more for webpages but never dared to install one.

I do use extensions, but only if they are from well known, respected organisations.

The author was lucky that it was only few compromised social media accounts. It could easily be an empty bank account or stolen identity instead.

(comment deleted)
The first time I got "hacked" was around 1995.

Someone I trusted at the time sent me a modified Legend of The Red Dragon bbs door game expansion/mod that del C:\

Learned a lot that day.

Very well-written, thanks for sharing. Stories like this are important!

> I went on looking for one of those browser extensions that made it easier to read. [...] I had to find the perfect one, with the cleanest user interface, the best features, the most convenient, across all cases and needs.

Examining the supply chain of those extensions and whether they were open-source and reputable should have been part of the evaluation process!

Also surely there is no reason to install any "dark reader" extension aside from the canonical Dark Reader...? https://github.com/darkreader/darkreader I thought this one was very well-known. I still wouldn't recommend _using_ it, you remain at risk of upstream's supply chain being compromised, but it's at least not malicious by default.

Firefox has dark mode built into its reader view feature which works on most websites, I'd imagine Chrome can do something similar. I greatly prefer and recommend this over installing an extension.

even installing ublock origin gives me the heebie jeebies when chrome asks me if I want to give the extension access to my full browser data. uBO is the only extension I trust.
This is why having 2 browsers is part of good security practice - keep one for important work and the other for regular browsing.