I’ve started publishing my “extension security basics” article series. First article takes apart a very simple extension. Two more are already written, quite a few more are planned.
Continuing with this article series. This time I’m discussing the potential impact of various extension privileges if these fall into the wrong hands. That’s the last preparation article, next time it’s going to be about actual vulnerabilities.
What does it take to make an extension page vulnerable Remote Code Execution, giving away access to all extension privileges? Quite a lot actually. This article looks into what a vulnerable extension looks like and how it could be attacked.
I say “websites … cannot usually access extension pages directly” in this article. In case you are wondering what happens when they actually do: it’s going to be the topic of the next article, and it’s going to be a rather extensive one. Yes, that’s the messy scenario.
Next article, continuing to look at potential attacks on extension pages. This time looking at web-accessible pages, this allows for lots of potential mischief. So the article covers lots of ground. Hopefully still comprehensible this way.
A Mastodon instance for info/cyber security-minded people.