Security investigator Mathias Karlsson reports that attackers can remove Google Chrome extensions, such as the popular HTTPS Everywhere, χωρίς να χρειάζεται να κάνουν κάτι οι χρήστες της δημοφιλούς εφαρμογής, από το να επισκεφτούν μια by clicking here.
Karlsson (@avlidienbrunn) reports that vulnerability exists in the latest stable version of Chróme and allows extensions to work without substantial intervention being required.
“After a few hours of analysis I managed to disable it HTTPS Everywhere μόνο με την προβολή μιας σελίδαs HTML," says Karlsson.
"In fact, I was able to disable any extension without user interaction."
Karlsson published a PoC which shows off the HTTPS Everywhere.
The flaw affects all users who do not configure the automatics updates of Chrome.
Extensions can be destroyed when web pages attempt to access the Chrime extension URI handler. A malicious link that leads to a specially configured page that sends ping requests to that feature is enough to perform the attack.
Google had blocked most Chrome URI requests for extensions, but it seems that ping still works.