Thing is, if someone has broken the Chrome sandbox between applications, they could just steal the raw data they want and then send the request off.. CAPTCHA won't do anything. But as I mentioned before, at that point, if they can break that security barrier, you have to question whether or not they can just take control of the whole system (I'm not sure how sandboxed processes are between each other in Chrome relative to each of them to the OS, but I would assume it would be similar).
So assuming that the Chrome sandbox holds up (which it should), the only thing you have to watch out for is rogue Collate plugins (as in account types); but that's why we screen any plugins that are submitted so it doesn't happen
EDIT: Also think of it like this; if they can break the security barrier between website <-> chrome extension, then they'll be able to break the security barrier between website <-> website and steal any session data or login information that you're sending to normal sites. So at that point, I don't think it's really much of a concern (i.e. they could just steal the session data to Tradehill anyway.. why go to all the trouble of getting the information out of the extension?)
So assuming that the Chrome sandbox holds up (which it should), the only thing you have to watch out for is rogue Collate plugins (as in account types); but that's why we screen any plugins that are submitted so it doesn't happen
EDIT: Also think of it like this; if they can break the security barrier between website <-> chrome extension, then they'll be able to break the security barrier between website <-> website and steal any session data or login information that you're sending to normal sites. So at that point, I don't think it's really much of a concern (i.e. they could just steal the session data to Tradehill anyway.. why go to all the trouble of getting the information out of the extension?)