New issue
Advanced search Search tips

Issue 756181 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
devlin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task



Sign in to add a comment

Extension documentation for clipboard permissions are a bit misleading

Reported by stefan.v...@gmail.com, Aug 16 2017 
VULNERABILITY DETAILS
The Chrome extension can copy the text in the textbox without any permissions in the manifest.json file. This can be dangerous and can send the data to a web server.

Here the Chrome extension developer guide said you must got this
https://developer.chrome.com/extensions/permission_warnings
"clipboardRead" permission
Allows the extension to use the following editing commands with document.execCommand():
"copy"
"cut"


VERSION
Chrome Version: 60.0.3112.101  + stable
Operating System: MacOS Sierra 10.12.6

REPRODUCTION CASE
1. Unzip the Chrome extension to a folder
2. Load the Chrome extension
3. Click on the extension icon, you see the popup
4. Now you see a textbox with a text. If you click copy, it copy the text to your memory
5. If possible, you see the successful message

But important is that this Chrome extension go no "permission" in the manifest file. So normal it must show you an error. 
Now this can be dangerous, because the user information can be posted on sever. Without knowing this Chrome extension just copy an (important) data.
extension.zip
53.7 KB Download

Comment 1 by elawrence@chromium.org, Aug 16 2017

Cc: devlin@chromium.org
Components: Platform>Extensions>API
I suspect this is more of an issue with misleading documentation than a real vulnerability given that these permissions are available to untrusted web content.

In terms of the described "Attack scenario", you don't need the clipboard at all to accomplish such things.

Comment 2 by rdevlin....@chromium.org, Aug 17 2017

Components: -Platform>Extensions>API Platform>Extensions>Documentation
Status: Available (was: Unconfirmed)
Summary: Extension documentation for clipboard permissions are a bit misleading (was: Security: Can copy your data without the "clipboardRead" permission)
Agreed, this isn't a security bug - normal webpages have this same privilege, by design.  Also, this isn't relevant to clipboardRead, since it's writing to the clipboard, not reading from it.

elawrence@, feel free to remove the restrictions.

Comment 3 by elawrence@chromium.org, Aug 17 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-3 Type-Bug

Comment 4 by elawrence@chromium.org, Aug 17 2017

Labels: -Type-Bug Type-Task
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 20

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment