New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 614258 link

Starred by 1 user
Status: WontFix
Owner:
asargent@chromium.org
Last visit > 30 days ago
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment

allow javascript to be injected through extensions

Reported by mihirbha...@gmail.com, May 24 2016 
VULNERABILITY DETAILS

Javascript can be injected into extensions without hash check feature downloaded through chrome web-store.

VERSION
Chromium Version: [49.0.2623.108] + [dev]
Operating System: [Linux, 3.16.0-71-generic]

REPRODUCTION CASE

1]Go to chrome web-store and install any extension.
2]check the manifest.json to see which file is executed regularly.
3]put your code inside the file and restart chromium,and if there is no hash check then your code will be executed without any error or warning that the file has been changed.
(Tested on AdBlock extension Version 2.57 & Google Translate chrome extension Version 2.0.6_0)

Comment 1 by mea...@chromium.org, May 24 2016

Components: Platform>Extensions
Labels: OS-Linux
Owner: asargent@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for your report. On Windows and Mac this would be captured by extension content verification, but I'm not sure if it's available on Linux. Antony, can you please triage?

Comment 2 by asargent@chromium.org, May 24 2016

Labels: Needs-Feedback
Extension content verification should be enabled on all desktop platforms (Win/Mac/Linux/ChromeOS), but is only turned on for Google Chrome official builds. 

To the original reporter: any chance you happened to test with a Chromium build or something? If so then content verification won't be turned on by default, but you can turn it on by opening a tab to chrome://flags and setting the value of "ExtensionContentVerification" to EnforceStrict and restarting the browser. 

If you still see the bug happening, can you please attach a test case that demonstrates this?

Comment 3 by mihirbha...@gmail.com, May 25 2016 

Yeah that worked.
But still why not enable it in the first place like in windows or mac.
Normally anyone won't even realize that this feature is turned off.

Comment 4 by asargent@chromium.org, May 25 2016 

Are you running a Google Chrome branded build that you got from the official google repository (eg https://www.google.com/chrome/browser/desktop/), or a build of Chromium made by your distro? If the latter, we don't have any control over the bits that they ship, but if a distro was interested in shipping this feature on by default, I think we'd be happy to accept a patch that adds a compile-time flag for doing that.

Comment 5 by mea...@chromium.org, May 25 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Assigned)
Sounds like this is working as intended.

#3: While I'm closing the bug, please still feel free to submit a patch along the lines of what asargent@ is suggesting.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment