Issue metadata
Sign in to add a comment
|
Security: externally_connectable.matches bypass via window.open |
||||||||||||||||||||||||
Issue description
Chrome version: 52.0.2743.82 (tested on Mac and Linux, Win/CrOS are probably affected as well)
Extensions can opt in to communicate web pages via externally_connectable. The list of allowed origins is specified in the manifest file, like this:
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
But it appears that window.open() can be used to spoof any URL for the purpose of externally_connectable. As a result, extensions that don't expect hostile messages can receive messages from attackers.
To test:
1. Download attached files.
2. Put manifest.json and background.js in the same directory.
3. Load the extension via chrome://extensions
4. Open index.html and click on the button.
Expected:
- "passed: the page cannot communicate with the extension"
Actual:
- "FAILED, the page cannot should not be able to communicate with the extension. Received: THIS IS SECRET - manifest.json says that only example.com can see this"
More info:
ScriptContext::url() is used to find the URL [1] and then used for externally_connectable [2]. It is however documented to be inappropriate for security decisions [3].
[1] https://chromium.googlesource.com/chromium/src/+/15fd52bd9893d7b72fda22e24d74c145b29221d1/extensions/renderer/runtime_custom_bindings.cc#64
[2] https://chromium.googlesource.com/chromium/src/+/f6f806674c4f6ebbb8b20197ae5b6c7a40bba08f/extensions/renderer/script_context.h#133
[3] https://chromium.googlesource.com/chromium/src/+/d1db9f61a6000339514472fe0d69c02e9917571c/chrome/browser/extensions/api/messaging/message_service.cc#295
,
Jul 26 2016
Devlin, Antony: Could one of you please triage? Thanks!
,
Jul 27 2016
,
Jul 27 2016
,
Jul 27 2016
I'll take this - it seems pretty closely related to bug 573131 which I've been working on.
,
Aug 11 2016
asargent: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 25 2016
asargent@, are you planning to look at this.
,
Aug 25 2016
asargent: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 25 2016
Ok, it looks like this was fixed by https://codereview.chromium.org/2208483002 for bug 573131 , and that fix has already been merged to the M53 branch.
,
Dec 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Jul 26 2016Labels: Security_Severity-Medium Security_Impact-Stable