Security: Malicious content script can launder postMessage origin
Reported by
m...@semmle.com,
Mar 5 2018
|
|||||||||
Issue descriptionVULNERABILITY DETAILS This issue affects quite a few popular chrome extensions. Many chrome extensions uses the postMessage API to receive message from their own webpage, and then check the origin of the message to ensure that it does not originate from a foreign window. For example, an extension may have content script that matches "https://mydomain.com" with something like: window.addEventListener("message", function(e) { //Check if it is from our page if (e.origin == "https://mydomain.com") { //call some API chrome.runtime.sendMessage(e.data); } } ) The problem is that, a malicious extension can also use content script to postMessage as "mydomain.com". For example, a malicious extension can have a content script that also matches "mydomain.com" and then have something like: var e = {"msg" : "malicious!"}; setTimeout(window.postMessage, 100, e, "*"); This message will then get intercepted by the victim extension and e.origin in this case will show up as "https://mydomain.com". The malicious extension can then access the API of the victim's extension. The main issue is that there is no way to tell whether a message does come from the webpage or from the extension. As I've seen a number of popular chrome extensions that uses this kind of checks, it may be better to address this issue in Chrome rather than to contact individual vendors. If there is indeed an existing API to check whether a message comes from a foreign app or not, then please let me know so I can contact the vendors that are affected. Thank you very much for your help. VERSION Chrome Version: 64.0.3282.140 + stable Operating System: Ubuntu 17.10 REPRODUCTION CASE Attached please find two example apps that demonstrate the problem. The checks are simplified to `e.origin == window.location.origin` to make testing easier (This is actually a fairly popular check, purported to prevent attacks like: win = window.open("https://mydomain.com"); win.postMessage(e, "*"); from malicious websites.) The victim_ext is an extension that listens to message and checks the origin, while the malicious_ext is a malicious extension that sends message to call internal API of the victim_ext. When both are loaded, the background page of victim_ext will print "malicious" in the console. Thank you very much for your help, please keep me informed of the progress. Thanks. Best Regards, Man Yue Mo
,
Mar 5 2018
,
Mar 5 2018
The PoC extension is allowed to inject content scripts into any URL, so effectively they control everything about 'mydomain.com' already, including any delegated trust (by extensions, or otherwise). If an extension with more limited permissions could do this then that would be an escalation, but otherwise I agree with comment 1.
,
Mar 5 2018
Thanks for the input. I can see your point here. The issue that I was trying to raise is that, victim_ext trusts the content of mydomain.com, however, the content may be tainted if there is a malicious extension in a user's machine that can modify the content of mydomain.com and there is no API for victim_ext to check for such issue. I agree that strictly speaking, this may not be a security issue in Chrome as such, but since I saw a number of extensions making the above assumption, it may be nice to provide an API that allows further checks to be performed. Would you say that in this case, the responsibility is with the vendor who trusted content from their own websites? Or with the user who installed an extension with content scripts that can modify pages (which many extensions do these days) Thanks.
,
Mar 5 2018
> it may be nice to provide an API that allows further checks to be performed. TL;DR: We do. :) This sounds very much like a bug in the extensions (and I'd encourage you to please file reports with them!). We offer a way to handle extension message passing with attribution and stronger guarantees, which is the chrome.runtime.sendMessage API. Using this API, extensions can *only* message themselves without the handling extension needing to provide special handling (listening to the onMessageExternal vs onMessage event), and differentiating between a message from the extension itself vs from an external party is trivial. From this bug, it sounds like the issue is that these extensions are actively *not* using the sanctioned API that provides proper attribution and limitations, and are instead relying on content that the page itself (or other content scripts) can easily manipulate. As elawrence@ mentioned, introducing more advanced taint tracking would be very difficult, and as kenrb@ touched on, any extension with privilege to run on mydomain.com can effectively control mydomain.com. An additional point here is that changing the behavior of the postMessage method from a content script may break extensions which rely on this emulating a message from the page (which can be legitimate, as one of the main purposes of extensions is to manipulate page content). I wholeheartedly agree that providing some reasonable attribution in messaging is important, but it sounds like the issue here is that extensions aren't using the proper API (chrome.runtime), which provides some guarantees.* I don't think there's anything on the chrome-side here that we should change. For that reason, I'm going to close this out as WontFix, but thank you very much for bringing this up! And again, I would encourage you to file bugs against extensions you see doing this - it is an insecure practice, for the reasons you've laid out. *In the extreme case (a compromised renderer), it could lie about its origin - but that's a reasonably high bar (and is also why extensions should always validate message content).
,
Mar 5 2018
Thanks! I'd file this bug against the extensions themselves in that case. In the meantime, do you mind keeping this ticket hidden so that the extension vendors got a chance to fix things? Thanks.
,
Jun 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by elawrence@chromium.org
, Mar 5 2018Components: Platform>Extensions>API
Labels: Security_Impact-Stable OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows