Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Read original article
Universal code execution through chaining messages in browser extensions is demonstrated, bypassing Same Origin Policy and browser sandbox restrictions. Vulnerabilities in messaging APIs allow for the exploitation of extensions, potentially affecting millions of users. By leveraging content scripts and background scripts, malicious web pages can breach security boundaries and access sensitive information like cookies. The use of postMessage and sendMessage methods can lead to code execution, especially when combined with native messaging capabilities. The process involves passing messages from the extension to native applications, enabling attackers to execute arbitrary commands. Vulnerability hunting at scale is facilitated by querying Chrome extensions for specific patterns and scanning for insecure message handling. Additionally, the integration of PKI smart cards through browser extensions poses a significant risk, as demonstrated by a specific extension with a large user base. The extension's design flaw allows for the execution of arbitrary code, potentially leading to severe security breaches.
Related
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
Htmx does not play well with content security policy
HTMX, a JavaScript framework, presents security challenges due to its handling of HTML tags and external script loading. Despite some security features, HTMX usage raises HTML injection risks, complicating full security implementation.
384k sites pull code from sketchy code library recently bought by Chinese firm
Over 384,000 websites linked to a code library in a supply-chain attack by a Chinese firm. Altered JavaScript code redirected users to inappropriate sites. Industry responses included suspensions and replacements.
Malware Developers Increasingly Use V8 JavaScript for Evasion
Researchers from Check Point Research (CPR) discovered a surge in malware using compiled V8 JavaScript to avoid detection. CPR's View8 tool helps analyze hidden malicious code, highlighting the challenge for cybersecurity.
4 comments> by first triggering a download of a malicious DLL file followed by sending a message with the GetCertLib action and PKCS11Lib pointing to the download location
I see two problems here. The download location contains the username of the current user which is unknown, right? Also, I thought Windows blocked loading of downloaded DLLs the same way as it blocks running of downloaded executables until you click through the warning dialog box. I don't see how this would work in practice.
Extension security is definitely concerning, and it is definitely true that the recommended ways for extensions to communicate with content are error-prone. But I think Manifest v3's security precautions like the restrictive CSP help a lot.
1. Browser extension has a wildcard pattern for content script.
2. Content script passes postMessage messages to the background script using sendMessage.
3. Background script passes the message to native application using sendNativeMessage.
4. Native application handles the message dangerously, leading to code execution.
Requirement 2 seems to be the most important. postMessage messages should never be passed to sendMessage raw without validation. Fortunately, this should be a rare occurrence in the wild. It only provides very specific benefits to use postMessage in an extension to begin with, and developers who do need to use it are more likely to be aware of the potential vulnerability.
Related
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
Htmx does not play well with content security policy
HTMX, a JavaScript framework, presents security challenges due to its handling of HTML tags and external script loading. Despite some security features, HTMX usage raises HTML injection risks, complicating full security implementation.
384k sites pull code from sketchy code library recently bought by Chinese firm
Over 384,000 websites linked to a code library in a supply-chain attack by a Chinese firm. Altered JavaScript code redirected users to inappropriate sites. Industry responses included suspensions and replacements.
Malware Developers Increasingly Use V8 JavaScript for Evasion
Researchers from Check Point Research (CPR) discovered a surge in malware using compiled V8 JavaScript to avoid detection. CPR's View8 tool helps analyze hidden malicious code, highlighting the challenge for cybersecurity.