New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Closed: Jan 2017

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Issue 1088: Adobe: Adobe Acrobat Force-Installed Vulnerable Chrome Extension

Reported by, Jan 18 2017 Project Member

Issue description

On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here:

I can see from the webstore statistics it's already got ~30M installations. 

It didn't take long to notice there's a DOM XSS in data/js/frame.html

531         } else if (request.current_status === "failure") {
532             analytics(events.TREFOIL_HTML_CONVERT_FAILED);
533             if (request.message) {
534                 str_status = request.message;
535             }
536             success = false;

Presumably you can do"chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
        panel_op: "status",
        current_status: "failure",
        message: "<h1>hello</h1>"

I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

I've also noticed the way they've designed the "to_html" RPC seems racy, the url of a tab might change (because an attacker can do x =; x.location = "new location"). Right now I don't think you can do very much with it because it doesn't seem to be feature complete...but still, it seems worth noting this so it doesn't introduce a vulnerability when they enable it.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comment 1 by, Jan 18 2017

Project Member


Hi Tavis,

Thanks again for contacting us about this bug.  We're planning an update that we expect will land next week.

We'll circle back with you on Tuesday with a more precise timeframe.

Comment 2 by, Jan 18 2017

Project Member
Labels: -Restrict-View-Commit
Status: Fixed (was: New)

Hi Tavis,

Thanks again for contacting us about this xss bug.  We pushed a fix yesterday and it looks like the new version is live now.  What is your expectation around notification to users?


Comment 3 by, Feb 3 2017

Project Member
Labels: -Reported-12-Jan-2017 Reported-2017-Jan-12

Comment 4 Deleted

Comment 5 Deleted

Comment 6 by, Dec 26

Project Member
Labels: Restrict-AddIssueComment-EditIssue
This issue tracker is not intended to be a discussion forum, please only add comments if you have information relevant to this bug.

Sign in to add a comment