There’s a Chrome extension out there called UCLA Automated Login that promises to enable autofill for the Single Sign-On system provided by UCLA for the users of its web applications. The SSO system is fairly aggressive about expiring sessions, so I’m not surprised that this extension has hundreds of users. Before installing it, though, I took the time to inspect its source code and found enough security issues that I refuse to use this extension and can’t recommend it to anyone else. Here’s what I found.
The extension works by watching for the standard “UCLA Logon” page, filling in your saved username and password, and submitting the form. Someone made this extension because the
input elements on the logon page contain the attribute
autocomplete="off" attribute on the form to enable Chrome Autofill instead of half-assedly emulating it myself.
The first major transgression comes from a misuse of UCLA branding to give the impression that this extension is somehow sanctioned by the university. The extension’s logo is the UCLA logo–a clear trademark violation. And the UI for saving your credentials in the extension closely mimics the standard UCLA Logon page. I’ll give the developer the benefit of the doubt and assume they did this to provide a more consistent user experience, but it could be misleading to some users.
Finally–and here’s where it gets really scary–like all Chrome extensions, the developer can automatically push out an updated version to all its users. What’s to stop him from quietly changing his extension to report all usernames and passwords to a remote server? The extension would have to ask for additional permissions to make the cross-domain request, but that’s not something that will cause suspicion for most users. Students use these credentials to add and drop classes, declare majors, pay tuition, administer financial aid, submit homework assignments, apply for jobs, and much more. You really don’t want those capabilities falling into the wrong hands.
To recap: the “UCLA Automated Login” extension co-opts the university’s visual identity, stores your password in an easily decryptable form using a feature that isn’t meant to store sensitive data, and could be silently updated at any time to transmit your credentials to a remote server. Oops.