Security Vulnerability in OpenAttribute

Skip to first unread message

Nicholas Carlini

Jul 27, 2011, 4:34:47 PM7/27/11
to, Adrienne Porter Felt,


I am a researcher at UC Berkeley currently working on vulnerabilities in Google Chrome extensions. 

One of the extensions we looked at was OpenAttribute, and we found a vulnerability which allows an attacker to attack the extension whenever the user clicks the browser action. He can then gain the full extension permissions. Given that the extension requests many permissions (tabs and all HTTP(S) websites), a successful attacker could make arbitrary HTTP requests as the user, XSS any page the user visited, observe all of the user's browsing activity, and open and close arbitrary tabs.

Under typical use of your extension, a user visits a page (say, Wikipedia) and then clicks the button to obtain the information needed to cite the source. There are two threat models to consider.

First, consider an attacker who owns a website and can get the extension to think it is a CC-licensed page. This attacker can insert HTML special characters to the page and cause the popup to run JavaScript. Since the popup runs with full extension permissions, the attacker now has control over the extension.

Next, consider an attacker who is a HTTP network attacker. That is, imagine the user is browsing wikipedia from a coffee shop. The attacker is monitoring all network traffic and when he sees the user visit Wikipedia, he could then send a fake response as if it was coming from the Wikipedia servers but with a title that contains the same HTML special characters. If the user then clicks the browser action, then again the attacker gains full permissions.

The attacker, in both cases, can run arbitrary JavaScript from within the context of core extension -- meaning it can make XMLHttpRequests and modify other tabs. Additionally, it can set timer events to trigger these events in the future so that the user will not need to click the button more than once.

Specifically, the vulnerability occurs on popup.html line 68 which runs

document.getElementById("container").innerHTML = "<p style=\"font-weight:bold\">" + title + "</p>";


There are several ways to fix this. One method to fix this would be to write to an iframe instead of directly to the normal popup frame. Using an iframe would remove all of the permissions an attacker could gain. Another method would be to sanitize the title of the page for HTML special characters (< > & " '). A final method would be to use the .innerText setter instead of .innerHTML, which sets the text of the page to whatever you want, without the risk of adding other HTML elements.

We plan to publish all of the security vulnerabilities we have found in extensions, including this one. However, we are first providing you with the opportunity to fix or dispute the vulnerabilities.




Ben Moskowitz

Jul 29, 2011, 12:45:13 PM7/29/11
Hey guys,

I think we need to schedule that meeting to address this, promote Pat's new features, and figure out what we're doing at the Mozilla Festival in London this year.

Here's a Doodle poll—please respond within 24 hours.

Many thanks!


Begin forwarded message:

Pat Lockley

Jul 29, 2011, 1:07:51 PM7/29/11
I've already put out version 0.7 which fixes it - as far as I can tell.

Pat Lockley

Jul 29, 2011, 1:13:53 PM7/29/11
Also, no link?

On 29 Jul 2011, at 17:45, Ben Moskowitz <> wrote:

Ben Moskowitz

Jul 29, 2011, 1:35:16 PM7/29/11

Thanks for .7. I think the response also needs to include a push for people to update, and a statement (cause they'll be making one for us).

Pat Lockley

Jul 29, 2011, 2:09:16 PM7/29/11
I tend to just upload and publish. Not sure if chrome supports a push?

Will add details to the site page later on. Am on hols for the weekend so will wait until can find a pc
Reply all
Reply to author
0 new messages