Skip to main content

Posts

Showing posts from April, 2016

Google Chrome Potential leak of sensitive information to malicious extensions (CVE-2016-1658)

Last Google Chrome release for Chrome 50.0.2661.75 contains the fix for a security low bug I found (CVE-2016-1658). When first I found this bug I was under the impression it could be an UXSS. Quickly after I reported I started to realize that this wasn't as exploitable though. The issue per se was extremely easy to reproduce: Create an HTML file that looks like and save it (e.g. chrome.html) <h1>Hi</h1>  <script> alert(document.domain)</script> Now supposing the file is saved under (in MacOS) /Users/xxx/Downloads/chrome.html open the file from hard disk in this way:   file://mail.google.com/Users/xxx/Downloads/chrome.html   Note: mail.google.com is arbitrary . This can be any domain (hence is universal)  Observe the document.domain alerted is mail.google.com!  Observe the cookies transported are the one associated with *.google.com domain : Now this looked really weird to me and I reported as an UXSS. Pretty quickl