Extensions can redirect away from chrome:extensions, preventing user from uninstalling [External report] |
||
Issue descriptionChrome Version: Not specified OS: Not specified (presumably all platforms with extensions) Seen on an external site. Not reproduced. I am just filing this here to bring it to the attention of the extensions team. https://blog.malwarebytes.com/threat-analysis/2018/01/new-chrome-and-firefox-extensions-block-their-removal-to-hijack-browsers/ What steps will reproduce the problem? (1) Install an extension called "Tiempo en colombia en vivo" (apparently now removed from the store). (2) Go to chrome://extensions to attempt uninstallation. What is the expected result? From chrome://extensions, you can remove the extension. What happens instead? The extension runs a content script on chrome://extensions which redirects to chrome://apps/?r=extensions. The user is unable to uninstall the extension. Note: I would think you could uninstall from the Chrome menu extensions list, so this may not be as bad as the site makes out. However, extensions should probably not be able to run content scripts on chrome://extensions (or perhaps chrome: URLs).
,
Jan 26 2018
It's not webRequest; it's typically the tabs API. I'm working on a brief doc that highlights some of this that we can use to discuss. I'll take ownership of this for now.
,
Feb 8 2018
The pages to report an extension are also affected, ala https://chrome.google.com/webstore/report/{extension ID}?hl=de&gl=DE You would have to open another browser/browser profile to report the malicious extension. |
||
►
Sign in to add a comment |
||
Comment 1 by karandeepb@chromium.org
, Jan 26 2018