Exploiting extensions capabilities via message passing
Reported by
emos.ere...@gmail.com,
Oct 3
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce the problem: 1. Install the extension and navigate to any webpage (say google.com) 2. Open the browser console. Add an HTML element that has the "value" property (say a textarea) with the identifier "IRData". 3. send the message `{Action: "GETCOOKIE"}` using the "postMessage" API What is the expected behavior? What went wrong? The extension retrieves all user cookies and adds them to the textarea previously created. WebStore page: https://chrome.google.com/webstore/detail/erailin/aopfgjfeiimeioiajeknfidlljpoebgc Did this work before? N/A Chrome version: Channel: stable OS Version: Flash Version: Similarly, posting the message { Action: "GET_BLOB", URL: "https://mail.google.com" } will return the list of emails from Gmail. The result is encoded in based 64. Decode it using atob(document.getElementById("IRData").value.slice("data:text/html;base64,".length))
,
Oct 4
,
Oct 9
reporter@ - Thanks for filing the issue...!! Could you please provide a sample html file to triage from steps 2-3. This will help us in triaging the issue further. Thanks...!!
,
Oct 9
Sure ! I rather provide a JS file. Navigate to whatever URL, open the console, and paste the content of the JS file. It will clear the original body content and display a textarea, and 2 buttons (one for getting cookies, and the other for making AJAX requests). I put a timeout of 5s, before correctly formatting the results. That is because I could not set listeners on the textarea element ( do not know why) Give it a try and let me if it is working as in my case
,
Oct 9
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
Adding details on how to exploit this extension and some more. The chrome.zip file in attachment contains a nodejs (local) server demonstrating how to exploit some of these extensions 1. Unzip the chrome.zip file 2. Start the start by running > sudo node server.js localhost 80 3. Open http://localhost/chrome.htm in a browser 4. Install the extension you want to test, and try For some extensions, I put a timeout of 5s. You may have to wait before seeing the results. I recommend testing an extension at a time. Once tested, you can disable or uninstall it before testing another one. We have recorded some videos demonstrating how we exploited these extensions. See the demonstration at https://swexts.000webhostapp.com/extensions/
,
Nov 5
Any comment on this issue ?
,
Nov 14
Please, do you mind providing any feedback on this issue ? We will really appreciate that !
,
Nov 19
Hi there ! Could you please provide a feedback on whatever action you are taking now on this issue ? I am kind of stuck on a work that I am doing on browser extensions and regarding this issue in particular
,
Nov 19
Basically, you found an exploitable extension which is a problem of that extension and other similar ones. It's not a problem in the browser or the extension API layer. Not sure what you expect here.
,
Nov 19
Yes, it is not a problem in the browser or extension API. I think it is a problem in the review process that missed the issues posed by those extensions. I expect that you remove or update those extensions because they pose serious security threats to users that have installed them. Maybe I did not explain well the problems that they pose. In other, these extensions let scripts in webpages post messages (to the extensions) in order to bypass the Same Origin Policy (SOP), execute arbitrary code in the context of the extension, trigger downloads, read and write extensions storage, read user browsing history, session cookies, bookmarks and list of extensions. As you can see from the attached file, some of the extensions have thousands of users and exploitable right away. If I release my results without you taking any action (removing or updating the extensions), then the sensitive data of dozens of users are at risk. So if you are not planning to take any action, please let me know. I would release my results mentioning that I responsibly reported these threats but no actions were taken. Just to mention, I reported similar bugs on Opera and Firefox, and the extensions have been removed ( See https://bugzilla.mozilla.org/show_bug.cgi?id=1496342#c12 ) If you need time to fix the extensions before I release my results, also let me know.
,
Nov 27
Hi there, Any reaction to my last comment on this issue ? Are there any action that Chrome plans to take regarding this issue ? Please kindly let us know about your plans !
,
Nov 30
It is curious that this issue is not considered serious ! Could you please give us an explanation about that ?
,
Jan 4
Hey there ! We have some updates. A paper in which we discuss this issue has been accepted at IEEE S&P. It would be great if you handle the issue before we publish the final paper |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by emos.ere...@gmail.com
, Oct 3