Skip to main content


Showing posts from April, 2016

Google Chrome Potential leak of sensitive information to malicious extensions (CVE-2016-1658)

Last Google Chrome release for Chrome 50.0.2661.75 contains the fix for a security low bug I found (CVE-2016-1658).
When first I found this bug I was under the impression it could be an UXSS. Quickly after I reported I started to realize that this wasn't as exploitable though.
The issue per se was extremely easy to reproduce:

Create an HTML file that looks like and save it (e.g. chrome.html)
<script> alert(document.domain)</script>
Now supposing the file is saved under (in MacOS) /Users/xxx/Downloads/chrome.html open the file from hard disk in this way:


Note: is arbitrary . This can be any domain (hence is universal) 
Observe the document.domain alerted is!

 Observe the cookies transported are the one associated with * domain :

Now this looked really weird to me and I reported as an UXSS. Pretty quickly though was cleat that the file: URL has a unique o…