I remember walking out of that talk and thinking:

If this is the quality of research you can present at DefCon nowadays, I guess I should find some bullshit and send in a request to present to check that bucket list item off.

Literally if you have privileged code execution in the browser (which extensions usually do) of course you can do bullshit like this.

There’s also no reason to steal the passkey since you can do things like send requests on the behalf of the user or modify the page to trick them into running something.

The bits about shadowing the JavaScript API they called out as critical, and like yes (JS is the work of the devil), but also that’s how fucking JavaScript works.

You’re giving a talk to some of the most technical people in the world, how the fuck did they even come close to the presenter stage here. It didn’t go over anything new and if you knew anything about the topic at hand it reeked of bullshit.