web_accessible_resource secret token accessible to webpages

[konarkmodi]

Prerequisites

• I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • uBlock Origin is the only extension
  • uBlock Origin with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uBlock Origin
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

As per the documentation here: https://github.com/gorhill/uBlock/blob/master/src/web_accessible_resources/README.txt#L3, even the files listed under web_accessible_resources are protected from being accessed by webpages using secret_token.

However, in Chromium based browser, we have found that under special circumstances webpages can steal that token:

• Revealing user has uBlockOrigin installed.
• Accessing files under web_accessible_resources.
• Modifying the content of files added to the page via web_accessible_resources and potentially circumvent the functionality
• The secret token seems to be generated on browser restart, hence it can be used as a session identifier to track the users across domains.

A specific URL where the issue occurs

Given the bug tracker is open, intentionally keeping from giving more details / PoC.
Is there a way to report security / privacy issues?

• uBlock Origin version: 1.18.16
• Browser Name and version: Version 74.0.3729.108 (Official Build) (64-bit)
• Operating System and version: macOS 10.14.4

[gorhill]

Is there a way to report security / privacy issues?

I sent you an email.