Video Downloader Extension: Universal XSS
Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users:
It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site).
Any website can do this:
// Change the active tab
// Run code in the new tab
That will run arbitrary code on <a href="http://google.com" title="" class="" rel="nofollow">google.com</a>.
I reported this bug to the cws team.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: taviso