Security Vulnerability in OpenAttribute
Nicholas Carlini
Hi,
I am a researcher at UC Berkeley currently working on vulnerabilities in Google Chrome extensions. One of the extensions we looked at was OpenAttribute, and we found a vulnerability which allows an attacker to attack the extension whenever the user clicks the browser action. He can then gain the full extension permissions. Given that the extension requests many permissions (tabs and all HTTP(S) websites), a successful attacker could make arbitrary HTTP requests as the user, XSS any page the user visited, observe all of the user's browsing activity, and open and close arbitrary tabs. Under typical use of your extension, a user visits a page (say, Wikipedia) and then clicks the button to obtain the information needed to cite the source. There are two threat models to consider. First, consider an attacker who owns a website and can get the extension to think it is a CC-licensed page. This attacker can insert HTML special characters to the page and cause the popup to run JavaScript. Since the popup runs with full extension permissions, the attacker now has control over the extension. Next, consider an attacker who is a HTTP network attacker. That is, imagine the user is browsing wikipedia from a coffee shop. The attacker is monitoring all network traffic and when he sees the user visit Wikipedia, he could then send a fake response as if it was coming from the Wikipedia servers but with a title that contains the same HTML special characters. If the user then clicks the browser action, then again the attacker gains full permissions. The attacker, in both cases, can run arbitrary JavaScript from within the context of core extension -- meaning it can make XMLHttpRequests and modify other tabs. Additionally, it can set timer events to trigger these events in the future so that the user will not need to click the button more than once. Specifically, the vulnerability occurs on popup.html line 68 which runs document.getElementById("container").innerHTML = "<p style=\"font-weight:bold\">" + title + "</p>"; There are several ways to fix this. One method to fix this would be to write to an iframe instead of directly to the normal popup frame. Using an iframe would remove all of the permissions an attacker could gain. Another method would be to sanitize the title of the page for HTML special characters (< > & " '). A final method would be to use the .innerText setter instead of .innerHTML, which sets the text of the page to whatever you want, without the risk of adding other HTML elements. We plan to publish all of the security vulnerabilities we have found in extensions, including this one. However, we are first providing you with the opportunity to fix or dispute the vulnerabilities. Thanks, Nicholas
