Security researcher Mathias Karlsson reports that attackers can remove its extensions Google Chrome, like the popular one HTTPS Everywhere, without users of the popular app having to do anything other than visit a webσελίδα.
Karlsson (@avlidienbrunn) reports that the vulnerability exists in the last stable version of Chrome and allows intervention in extensions without requiring substantial intervention.
"After a few hours of analysis, I was able to turn off HTTPS Everywhere just by viewing an HTML page," says Karlsson.
"In fact, I was able to disable any extension without user interaction."
Karlsson published a PoC which shows off the HTTPS Everywhere.
The flaw affects all users who do not set up Chrome automatic updates.
Οι επεκτάσεις μπορούν να καταστραφούν όταν οι ιστοσελίδες επιχειρούν να αποκτήσουν πρόσβαση στο Chrοme extension URI handler. Ένα κακόβουλο link που οδηγεί σε μια ειδικά διαμορφωμένη σελίδα που στέλνει requests ping στο εν λόγω χαρακτηριστικό, είναι αρκετό για την πραγματοποίηση της επίθεσης.
Google had blocked most Chrome URI requests for extensions, but it seems that ping still works.