New issue
Advanced search Search tips

Issue 612448 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Malicious Chrome extensions can be illegally request under the guise of the user.

Reported by hiroyuki...@gmail.com, May 17 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 51.0.2704.47 + beta / 50.0.2661.102 + stable
Operating System: Ubuntu 16.04 / OS X 10.11.4

REPRODUCTION CASE
Malicious Chrome extensions can be illegally request under the guise of the user.
Example:
- Cookie required request
- Get a token that was stored in the Web Storage. Request using it
- More unintended requests by users 

code:
This is a dangerous code that can run on 'inbox.google.com'.

```
fetch( '/', { mode: 'cors', credentials: 'include' } ).then( ( res ) => { return res.text() } ).then( ( text ) => { console.log( text ) } )
```

This code only get the HTML. However, various request for authentication would be achieved.

I worry it would might be a XSS.
chrome-extension-fetch-example.zip
937 bytes Download

Comment 1 by elawrence@chromium.org, May 17 2016

Components: Platform>Extensions
Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
The complaint in this bug is that it's possible to build a malicious Chrome extension that injects JavaScript into a manifest-listed victim origin and that JavaScript can issue requests from within the context of that Origin.

The provided manifest contains, for instance:
  "matches": ["https://inbox.google.com/*"],
  "js": ["main.js"],
  "run_at": "document_idle"

...and then main.js file issues network requests from the victim origin context.

This is working as intended does not represent a security vulnerability; the extension is utilizing permissions granted by the user.

Comment 2 by hiroyuki...@gmail.com, May 18 2016 

Okay. I was able to understand that it is not an issue.
Thank you.
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment