Gmail Checker plus Chrome extension XSS/CSRF II
Page 1 of 1
Gmail Checker plus Chrome extension XSS/CSRF II
######################################
Gmail Checker plus Chrome extension XSS/CSRF II
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
Exploit available:yes vendor notify: NO
#######################################
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)
############
explanation
############
Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....
If a attacker compose a new mail with html or javascript code in mail
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.
So for exploit we need to compose a "special" mail
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
the extension shows this code in plain text and the alert isn´t executed...
them we need to use a Feature from gmail ( auto conver links in clicable urls)
them we can compose a email body with a http link like
http://"><iframe src="javascript:alert(location.href);"></iframe>
or compose a mail link like :
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com
in the two cases the alert is executed wen try to preview the email
with the extension it is executed in context location.href value is
"about:blank"
Gmail is a safe place , but the extensions to manage it, can be a potential
vector to attack.
For example send a email With a logout acction in gmail in body
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmail , this is a CSRF.
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension
So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk for other issues what i disclose before
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460
previous patch =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0
######################€nd#################################
Gmail Checker plus Chrome extension XSS/CSRF II
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
Exploit available:yes vendor notify: NO
#######################################
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)
############
explanation
############
Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....
If a attacker compose a new mail with html or javascript code in mail
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.
So for exploit we need to compose a "special" mail
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
the extension shows this code in plain text and the alert isn´t executed...
them we need to use a Feature from gmail ( auto conver links in clicable urls)
them we can compose a email body with a http link like
http://"><iframe src="javascript:alert(location.href);"></iframe>
or compose a mail link like :
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com
in the two cases the alert is executed wen try to preview the email
with the extension it is executed in context location.href value is
"about:blank"
Gmail is a safe place , but the extensions to manage it, can be a potential
vector to attack.
For example send a email With a logout acction in gmail in body
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmail , this is a CSRF.
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension
So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk for other issues what i disclose before
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460
previous patch =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0
######################€nd#################################
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Google Services Notifier Chrome extension XSS/CSRF
» Notifier for Google Wave Chrome extension XSS/CSRF
» Google Chrome and Chrome frame Prompt DoS
» Hackers Disguise Trojan as Win7 Compatibility Checker
» Facebook CSRF and XSS vulnerabilities
» Notifier for Google Wave Chrome extension XSS/CSRF
» Google Chrome and Chrome frame Prompt DoS
» Hackers Disguise Trojan as Win7 Compatibility Checker
» Facebook CSRF and XSS vulnerabilities
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|