Author Topic: Amazon 1-button Chrome extension: password leakage  (Read 1554 times)

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3258
  • Karma: +191/-9
Amazon 1-button Chrome extension: password leakage
« on: July 14, 2013, 09:15:44 pm »
Heads up if you use the Amazon 1 Button extension for Chrome: this extension logs all your visited URLs, even https ones. It then shares these URLs with Amazon.

Why do Vera users need to know this? Because you may have given away your MiOS password in a url like "https://fwd1.mios.com/username/password/serial/..." if you did any kind of Vera-remote-control testing in Chrome.

If you only used the official cp.mios.com interface and logged in by typing your password into the form on the page, then you are not vulnerable to this leakage, though Amazon is still getting your session IDs, so it could in theory hijack a logged-in session.

Suggested course of action: uninstall this Chrome extension. Change your MiOS password.

Offline guessed

  • Master Member
  • *******
  • Posts: 5300
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Amazon 1-button Chrome extension: password leakage
« Reply #1 on: July 14, 2013, 09:30:07 pm »
Ouch.  Thanks for the heads up @futzle


You may like this one, for [certain] Motorola Android phone owners:
    http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html