Via message passing, extensions let web applications get access to sensitive pr
-
doliere last edited by doliere
I reported some extensions posing some security problems, but I could no more track my bug, so I am re-reporting here agains.
Description
Via message passing, extensions can let scripts running in webpages get access to sensitive APIs, such as executing code in the context of the extension, making XMLHttpRequest from the context of the extension and getting the response back, storing data in the context of the extension and retrieving it back later on or triggering the download of arbitrary files on the user computerSteps to reproduce: Let consider the https://addons.opera.com/en/extensions/details/smaily-dlia-odnoklasnikov/ extension
-
Install it
-
Navigate to https://ok.ru for instance and open the browser console.
-
Send the appropriate message (JavaScript code) to the extension background page
chrome.runtime.sendMessage("pmpnemphhmmpkcafgpdjanghiaadfbef", { action: "getRemote", url: "https://mail.google.com", blob: null, // Or with data }, function(response){ console.log("DATA", response); }); -
If you are logged into your gmail account, the extension reads your emails and displays them in the console. You can replace https://mail.google.com by any URL, the extension will fetch its content and return it back
I have more extensions (around 10) of them, but I cannot upload files.
What should have happened
We think that extensions review process should take into consideration the possibility that extensions let web applications access their privileges APIs. This is a violation of privilege separation between extensions and web applications, and have tremendous consequences: SOP bypass, the execution of arbitrary codes in the context of the extension, access to user cookies, browsing history, access to extensions storage, triggering of downloads, etc. -
-
-
-
doliere last edited by
@sgunhouse Ok that's a pity, because I do not have a bug number.
May I post it again ? -
-
doliere last edited by
@leocg Via the bug report wizard - https://bugs.opera.com/wizard/
I would have saved the bug number, but unfortunately, I did not -
-
-
-
doliere last edited by
@leocg No I did not !
I do not remember the exact title of the report, but it is related to extensions that can be exploited by web pages via message passing to get access to privileged extensions API.
So maybe
"Exploiting extensions capabilities via message passing"OR
"Extensions that let scripts in webpages post messages to the extensions in order to bypass SOP, execute arbitrary code in the context of the extension, trigger downloads, read and write extensions storage"
OR
"Via message passing, extensions let web applications get access to sensitive privileged capabilities"
-
-
-
-
-
leocg Moderator Volunteer last edited by
You can post here in the forums for reference but it would be better to use https://security.opera.com/report-security-issue/
Choose web service or website and mention addons.opera.com
-
-
-
tnowak Opera last edited by
@doliere Currently the best way to report problems with extensions is through their respective pages.
There's a "Reported issues" button on each.For general issues and ideas please use https://security.opera.com/report-security-issue/ --> "Web Service or website" --> "addons.opera.com".
Thanks for reporting these!
-
