Believe it or not, programmer Andreas Grech has made a Chrome Plugin (third-party extensions) that can fetch and users’ login information and send him as an email. He has been successful in fetching email IDs and passwords against them for websites like Twitter, Gmail, and Facebook. Andreas says:
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
Andreas Grech, the hacker, has provided source code and a step by step guide in his blog to show you the flaw in Chrome. His intentions are pure and just to spot the massive security flaw in the browser. A piece of advice: Until Google comes out with the fix, only install plugins from renowned people and websites.