I’ve started publishing my “extension security basics” article series. First article takes apart a very simple extension. Two more are already written, quite a few more are planned.


Continuing with this article series. This time I’m discussing the potential impact of various extension privileges if these fall into the wrong hands. That’s the last preparation article, next time it’s going to be about actual vulnerabilities.


Not sure whether this comes as a surprise to anyone but one of the conclusions is: more popular extensions tend to use more powerful privileges. So all that sandboxing does comparably little when popular extensions are compromised.

What does it take to make an extension page vulnerable Remote Code Execution, giving away access to all extension privileges? Quite a lot actually. This article looks into what a vulnerable extension looks like and how it could be attacked.


Some insight from my extension survey here as well: popular extensions are way more likely to relax Content Security Policy protection and to add 'unsafe-eval'. When looking at extensions with more than 100k users, more than 15% of them do this!


I say “websites … cannot usually access extension pages directly” in this article. In case you are wondering what happens when they actually do: it’s going to be the topic of the next article, and it’s going to be a rather extensive one. Yes, that’s the messy scenario.

Next article, continuing to look at potential attacks on extension pages. This time looking at web-accessible pages, this allows for lots of potential mischief. So the article covers lots of ground. Hopefully still comprehensible this way.


Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.