(dbushell.com)

279 points dbushell | 2 comments | 29 Mar 25 10:27 UTC | HN request time: 0.001s | source

Show context

MartijnHols ◴[29 Mar 25 16:47 UTC] No.43516805[source]▶

Makes me wonder if you can use this to hijack their plugin. At the very least you should be able to inject text into it, but you can probably render a pretty little login form as well, abusing the trust the user has in their extension. Is injecting elements into a document controlled by others really safe?

replies(1): >>43517113 #

echoangle ◴[29 Mar 25 17:33 UTC] No.43517113[source]▶

>>43516805 #

How would this work? They are injecting CSS into your page, but you can't inject anything into the extension UI from a website. The only thing you could do would be to emulate the extension UI in your website, but for that you don't need to inject anything. You can just copy the design.

replies(1): >>43517231 #

1. MartijnHols ◴[29 Mar 25 17:50 UTC] No.43517231[source]▶

>>43517113 #

The article mentions they inject a web component. I imagine a bad actor could add something to that. In this case at the very least the author could add a "I hacked your Grammarly extension" text just via CSS, but I'm sure you can go much further, even more so with other extensions (eg password managers).

replies(1): >>43517383 #

2. echoangle ◴[29 Mar 25 18:13 UTC] No.43517383[source]▶

>>43517231 (TP) #

But you could also just add you own lookalike web component to you page that looks like the grammarly one. If people enter credentials there, it's user error.

↑

Et Tu, Grammarly?