Chrome version: 55.0.2883.75 (stable), 57.0.2942.0 (latest)

Web pages can prompt users to install extensions from the Chrome Web Store. This prompt appears in a predictable location in the page and features two buttons: "Cancel" and "Add extension". This UI can be abused by mouse or keyboard:
- Mouse: Get the user to repeatedly click at the expected location of the "Add extension" button, and trigger the installation dialog.
- Keyboard: Trigger the install dialog before the user hits arrow key - spacebar.
(these circumstances are quite realistic in a game)

This is equivalent (or worse) than UXSS because extensions with arbitrary permissions can be installed in this way, without the user's explicit consent.

To cover their tracks, an attacker can clone a popular extension and uninstall the original extension (via the chrome.management API). The average user won't see the difference...


Here is a quick PoC using the real AdBlock Plus (an attacker would obviously use their own site and a malicious extension):

1. Visit https://adblockplus.org/
2. Open Chrome's developer tools, go to the console and run the code from poc-game.js
3. Play the game (e.g. press arrow right, spacebar, arrow right, spacebar).

The attached video shows the PoC in action. Note that the bubble at the end of the video would immediately be hidden if this vulnerability was abused via mouse, because the bubble disappears when the user clicks anywhere.


Suggested mitigation: Add a slight delay (e.g. a second or two) before the user can click on the "Add extension" button.
 

Deleted: extension-install-trick.ogv 621 KB

	extension-install-trick.ogv 621 KB View Download

Deleted: poc-game.js 545 bytes

poc-game.js 545 bytes View Download