VULNERABILITY DETAILS
I found this bug using a Chrome Exntesion called Grepsr: https://chrome.google.com/webstore/detail/grepsr-web-scraping-tool/hjdijkhlfpeafghibmiabeofkiicdnjm
Using this extension, you can scrape any webpage. I was testing it in a service where I had my login information, and they seemed to be able to supplant the actual webpage and took my login credentials to log in their tool. This made them able to take my credentials and steal my account. It can be seen in the following video: https://www.youtube.com/watch?v=DWRD3yA2cXI
VERSION
Chrome Version: VersiĆ³n 69.0.3497.100 (Build oficial) (64 bits)
Operating System: Mac High Sierra 10.13.6 (17G65)
REPRODUCTION CASE
1. Install Grepsr Account
2. Go to a website where you have a login account with autofill from Chrome
3. Use the extension until they ask you to log in their platform
4. See that they take your autofill password and if you don't look well, you can log in with that details, so the request goes to the server and they have your info.
Can be seen here: https://www.youtube.com/watch?v=DWRD3yA2cXI
Please attach files directly, not in zip or other archive formats, and if
you've created a demonstration site please also attach the files needed to
reproduce the demonstration locally.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]
CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: Esteve Castells Calpe
|
Deleted:
chrome bug.mov
22.6 MB
|
Comment 1 by jialiul@chromium.org
, Oct 8