Chrome Extension Webstore allows to embedding through frameset
Reported by
sanderla...@gmail.com,
Nov 5
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Steps to reproduce the problem: 1. Visit a malicious site, in this example vote411[.]com 2. Notice the site serves a frameset of two pages, one with a (probably) malicious Chrome extension and another one with an arrow, prompting the user to install the extension. What is the expected behavior? Chrome Webstore is not embeddable using iframes or framesets from a different origin. What went wrong? The Chrome Webstore was embedded in a malicious page. The pop-up window looks like a legit page of the Google Chrome webstore to an untrained end-user. WebStore page: Did this work before? N/A Chrome version: 70.0.3538.77 Channel: stable OS Version: 10.0 Flash Version: The example malicious site redirects users to different pages, so this example might not be reproducible.
,
Nov 6
Thanks for filing the issue! Tried testing the issue on chrome reported version# 70.0.3538.77 using Windows-10 with steps mentioned below: 1) Launched chrome reported version and visited vote411.com 2) Page got redirected to URL: http://www12.vote411.com/?subid4=1541495345.0208588460 and didn't observed as per mentioned in screenshot in comment# 0 @Reporter: Please find the attached screenshot for your reference and provide your feedback on it. If possible could you please provide sample test file/URL that reproduces which help in further triaging it in better way. Thanks! |
||
►
Sign in to add a comment |
||
Comment 1 by viswa.karala@chromium.org
, Nov 6