Professional Webmasters Community
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Professional Webmasters Community

your are free to explore your reviews, thoughts, suggestion and guidelines on every online tech talk.


Gmail Checker plus Chrome extension XSS/CSRF II

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

Go down

Gmail Checker plus Chrome extension XSS/CSRF II Empty Gmail Checker plus Chrome extension XSS/CSRF II

Post  andry Thu Sep 23, 2010 4:13 am

######################################
Gmail Checker plus Chrome extension XSS/CSRF II
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
Exploit available:yes vendor notify: NO
#######################################

So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)

############
explanation
############

Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....

If a attacker compose a new mail with html or javascript code in mail
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.

So for exploit we need to compose a "special" mail
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
the extension shows this code in plain text and the alert isn´t executed...
them we need to use a Feature from gmail ( auto conver links in clicable urls)
them we can compose a email body with a http link like
http://"><iframe src="javascript:alert(location.href);"></iframe>
or compose a mail link like :
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com
in the two cases the alert is executed wen try to preview the email
with the extension Smile it is executed in context location.href value is
"about:blank"


Gmail is a safe place , but the extensions to manage it, can be a potential
vector to attack.

For example send a email With a logout acction in gmail in body
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmail , this is a CSRF.
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension Razz

So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk for other issues what i disclose before
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460
previous patch =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0

######################€nd#################################
andry
andry
Moderator
Moderator

Posts : 467
Join date : 2010-05-07

Back to top Go down

Back to top

- Similar topics

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

 
Permissions in this forum:
You cannot reply to topics in this forum