top | item 40954767

(no title)

Requirements as listed by the article:

1. Browser extension has a wildcard pattern for content script.

2. Content script passes postMessage messages to the background script using sendMessage.

3. Background script passes the message to native application using sendNativeMessage.

4. Native application handles the message dangerously, leading to code execution.

Requirement 2 seems to be the most important. postMessage messages should never be passed to sendMessage raw without validation. Fortunately, this should be a rare occurrence in the wild. It only provides very specific benefits to use postMessage in an extension to begin with, and developers who do need to use it are more likely to be aware of the potential vulnerability.

discuss

swatcoder|1 year ago

> Fortunately, this should be a rare occurrence in the wild. It only provides very specific benefits to use postMessage in an extension to begin with, and developers who do need to use it are more likely to be aware of the potential vulnerability.

I'm not sure you're making a sound assessment of code quality in the wild. What a practiced and responsible engineer might do and what somebody slapping together an extension under deadline pressure or without a strong foundation in defensive practices might do are very different, and there's a lot of that latter stuff out there, some in wide use. That's why so much effort and attention is put into crafting systemic safeguards that (seek to ) prevent savvy people from exploiting mistakes by not-so-savvy people.

the8472|1 year ago

Stopping at 3 might already be enough if the background script has a sufficiently juicy bug that can be triggered by a message, e.g. if you can exfiltrate cookies or trigger requests with the user's credentials.