<![CDATA[Via message passing, extensions let web applications get access to sensitive pr]]>I reported some extensions posing some security problems, but I could no more track my bug, so I am re-reporting here agains.

Description
Via message passing, extensions can let scripts running in webpages get access to sensitive APIs, such as executing code in the context of the extension, making XMLHttpRequest from the context of the extension and getting the response back, storing data in the context of the extension and retrieving it back later on or triggering the download of arbitrary files on the user computer

Steps to reproduce: Let consider the https://addons.opera.com/en/extensions/details/smaily-dlia-odnoklasnikov/ extension

  1. Install it

  2. Navigate to https://ok.ru for instance and open the browser console.

  3. Send the appropriate message (JavaScript code) to the extension background page

    chrome.runtime.sendMessage("pmpnemphhmmpkcafgpdjanghiaadfbef", {
			action: "getRemote",
			url: "https://mail.google.com",
			blob: null, // Or with data
		}, function(response){
    console.log("DATA", response);
});

  4. If you are logged into your gmail account, the extension reads your emails and displays them in the console. You can replace https://mail.google.com by any URL, the extension will fetch its content and return it back

I have more extensions (around 10) of them, but I cannot upload files.

What should have happened
We think that extensions review process should take into consideration the possibility that extensions let web applications access their privileges APIs. This is a violation of privilege separation between extensions and web applications, and have tremendous consequences: SOP bypass, the execution of arbitrary codes in the context of the extension, access to user cookies, browsing history, access to extensions storage, triggering of downloads, etc.

]]>https://forums.opera.com/topic/29256/via-message-passing-extensions-let-web-applications-get-access-to-sensitive-prRSS for NodeTue, 19 May 2026 06:17:22 GMTFri, 19 Oct 2018 12:41:53 GMT60<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 26 Nov 2018 15:16:20 GMT]]>@tnowak This issue has been addressed ! I note your comment for future reports

]]>https://forums.opera.com/post/159593https://forums.opera.com/post/159593Mon, 26 Nov 2018 15:16:20 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 26 Nov 2018 14:31:50 GMT]]>@doliere Currently the best way to report problems with extensions is through their respective pages.
There's a "Reported issues" button on each.

For general issues and ideas please use https://security.opera.com/report-security-issue/ --> "Web Service or website" --> "addons.opera.com".

Thanks for reporting these!

]]>https://forums.opera.com/post/159590https://forums.opera.com/post/159590Mon, 26 Nov 2018 14:31:50 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Fri, 09 Nov 2018 08:43:42 GMT]]>@leocg Do you think that Opera should do something, during extensions review process, in order to remove extensions that can be exploited via message passing ?

]]>https://forums.opera.com/post/158364https://forums.opera.com/post/158364Fri, 09 Nov 2018 08:43:42 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Tue, 06 Nov 2018 12:51:04 GMT]]>@leocg Ok thanks. I found that most of the extensions I reported have been removed. But I reported some other 4 that are still on the Opera addons page. Thanks for your highly useful help

]]>https://forums.opera.com/post/158206https://forums.opera.com/post/158206Tue, 06 Nov 2018 12:51:04 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Tue, 06 Nov 2018 12:17:25 GMT]]>You can post here in the forums for reference but it would be better to use https://security.opera.com/report-security-issue/

Choose web service or website and mention addons.opera.com

]]>https://forums.opera.com/post/158205https://forums.opera.com/post/158205Tue, 06 Nov 2018 12:17:25 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Tue, 06 Nov 2018 08:16:43 GMT]]>@leocg Yes it has been removed. But I have some more to report, can I do it here ?

]]>https://forums.opera.com/post/158196https://forums.opera.com/post/158196Tue, 06 Nov 2018 08:16:43 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 18:33:02 GMT]]>Nothing. By the way, it seems that the extension you mentioned in the first post was removed.

]]>https://forums.opera.com/post/158169https://forums.opera.com/post/158169Mon, 05 Nov 2018 18:33:02 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 18:28:54 GMT]]>@leocg Ok I see
What to do now ?

]]>https://forums.opera.com/post/158168https://forums.opera.com/post/158168Mon, 05 Nov 2018 18:28:54 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 17:37:09 GMT]]>So that's why you didn't get a confirmation message with the bug id.

]]>https://forums.opera.com/post/158160https://forums.opera.com/post/158160Mon, 05 Nov 2018 17:37:09 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 16:42:06 GMT]]>@leocg No I did not !
I do not remember the exact title of the report, but it is related to extensions that can be exploited by web pages via message passing to get access to privileged extensions API.
So maybe
"Exploiting extensions capabilities via message passing"

OR

"Extensions that let scripts in webpages post messages to the extensions in order to bypass SOP, execute arbitrary code in the context of the extension, trigger downloads, read and write extensions storage"

OR

"Via message passing, extensions let web applications get access to sensitive privileged capabilities"

]]>https://forums.opera.com/post/158159https://forums.opera.com/post/158159Mon, 05 Nov 2018 16:42:06 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 15:29:16 GMT]]>And did you provide one when you made the report?

Do you remember the title or any detail of the report?

]]>https://forums.opera.com/post/158153https://forums.opera.com/post/158153Mon, 05 Nov 2018 15:29:16 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 15:05:57 GMT]]>@leocg No I did not.
I checked my mails

]]>https://forums.opera.com/post/158152https://forums.opera.com/post/158152Mon, 05 Nov 2018 15:05:57 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 14:52:35 GMT]]>Didn't you get an email message with it?

]]>https://forums.opera.com/post/158149https://forums.opera.com/post/158149Mon, 05 Nov 2018 14:52:35 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 14:36:54 GMT]]>@leocg Via the bug report wizard - https://bugs.opera.com/wizard/
I would have saved the bug number, but unfortunately, I did not

]]>https://forums.opera.com/post/158148https://forums.opera.com/post/158148Mon, 05 Nov 2018 14:36:54 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 12:00:34 GMT]]>How did you report those extensions?

]]>https://forums.opera.com/post/158140https://forums.opera.com/post/158140Mon, 05 Nov 2018 12:00:34 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Mon, 05 Nov 2018 07:36:46 GMT]]>@sgunhouse Ok that's a pity, because I do not have a bug number.
May I post it again ?

]]>https://forums.opera.com/post/158133https://forums.opera.com/post/158133Mon, 05 Nov 2018 07:36:46 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Fri, 02 Nov 2018 14:08:54 GMT]]>If you reported it, you should have been assigned a bug report number. If you post that number, I can look it up. Otherwise, no.

]]>https://forums.opera.com/post/157947https://forums.opera.com/post/157947Fri, 02 Nov 2018 14:08:54 GMT<![CDATA[Reply to Via message passing, extensions let web applications get access to sensitive pr on Fri, 02 Nov 2018 11:56:52 GMT]]>Could anyone comment on this issue please ?

]]>https://forums.opera.com/post/157934https://forums.opera.com/post/157934Fri, 02 Nov 2018 11:56:52 GMT