Notifier for Google Wave Chrome extension XSS/CSRF

andry Wed Oct 06, 2010 5:10 am

######################################
Notifier for Google Wave Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
Exploit available:yes vendor notify : NO
#######################################

So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
56,542 users have instaled it (WoW)

############
explanation
############

Notifier for Google Wave allows users to view wen they have a new wave and
view a preview of it ....

If a attacker compose a new wave with html or javascript code in
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of wave.

So for exploit we need to compose a "special" wave
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the wave
with the extension Smile

it is executed in context location.href value is
"about:blank"

For example send a wave With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.

######################€nd#################################