The Chromium open-source project has become a fundamental piece of the Web as we know it today, with multiple vendors offering browsers based on its codebase. One of its most popular features is the possibility of altering or enhancing the browser functionality through third-party programs known as browser extensions. Extensions have access to a wide range of capabilities through the use of APIs exposed by Chromium. The Debugger API -- arguably the most powerful of such APIs -- allows extensions to use the Chrome DevTools Protocol (CDP), a capability-rich tool for debugging and instrumenting the browser. In this paper, we describe several vulnerabilities present in the Debugger API and in the granting of capabilities to extensions that can be used by an attacker to take control of the browser, escalate privileges, and break context isolation. We demonstrate their impact by introducing six attacks that allow an attacker to steal user information, monitor network traffic, modify site permissions (\eg access to camera or microphone), bypass security interstitials without user intervention, and change the browser settings. Our attacks work in all major Chromium-based browsers as they are rooted at the core of the Chromium project. We reported our findings to the Chromium Development Team, who already fixed some of them and are currently working on fixing the remaining ones. We conclude by discussing how questionable design decisions, lack of public specifications, and an overpowered Debugger API have contributed to enabling these attacks, and propose mitigations.
翻译:Chromium开源项目已成为当今Web的基础组件,多家厂商基于其代码库提供浏览器。其最受欢迎的功能之一是通过第三方程序(即浏览器扩展)修改或增强浏览器功能。扩展可通过Chromium暴露的API获取广泛能力。调试器API(Debugger API)可谓其中功能最强大的API,它允许扩展使用Chrome DevTools协议(CDP)——一个功能丰富的浏览器调试与检测工具。本文描述了调试器API及扩展能力授权机制中存在的多个漏洞,攻击者可利用这些漏洞控制浏览器、提升权限并打破上下文隔离。我们通过六种攻击展示了其影响,包括窃取用户信息、监控网络流量、修改站点权限(如摄像头或麦克风访问权限)、在无需用户干预的情况下绕过安全警告页面、以及更改浏览器设置。由于这些漏洞根植于Chromium项目核心,我们的攻击在所有主流基于Chromium的浏览器中均有效。我们已将发现报告给Chromium开发团队,其中部分漏洞已修复,其余正在修复中。最后,我们讨论了可疑的设计决策、缺乏公开规范以及功能过于强大的调试器API如何助长了这些攻击,并提出了缓解措施。
相关内容
- Today (iOS and OS X): widgets for the Today view of Notification Center
- Share (iOS and OS X): post content to web services or share content with others
- Actions (iOS and OS X): app extensions to view or manipulate inside another app
- Photo Editing (iOS): edit a photo or video in Apple's Photos app with extensions from a third-party apps
- Finder Sync (OS X): remote file storage in the Finder with support for Finder content annotation
- Storage Provider (iOS): an interface between files inside an app and other apps on a user's device
- Custom Keyboard (iOS): system-wide alternative keyboards
Source: iOS 8 Extensions: Apple’s Plan for a Powerful App Ecosystem
微信扫码咨询专知VIP会员