1696258 - WebExtension: remote user tracking

Status: RESOLVED INVALID

(WebExtensions :: Untriaged, defect)

Description

[michael.rouges]

Attachment: remote-user-tracking.xpi

Firefox version: 86.0
OS version: Windows 10

remote-user-tracking

This exploit demonstrates how to send some tailored scripts to inject on any web
page and to exchange critical data between tabs.

Permissions

• <all_urls>, used to trigger on each page
• webNavigation, used to trigger on page loading

Vectors

• chrome.executeScript()
• blob:/data: scripts
• Any network accessor, from the background (uses EventTarget but can work with fetch, xhr, ...)

Steps to reproduce

1. Add the extension to the browser
2. Open any number of new tabs
3. Open the devtools console
4. Visit any page with a strict CORS configuration, on each tab
5. Check the console warnings

Behavior

• It creates an EventTarget calling https://lcfvs-cve-server.glitch.me/subscribe
• It saves the cookie and gets that cookie value as first message
• On any page loading, it calls https://lcfvs-cve-server.glitch.me/location
• It warns a message, with an object containing
  • the current tabId
  • the current history
  • the current uuid

Server

Source code

Comment 1

[Daniel Veditz [:dveditz]]

I don't quite understand the claim, or at least what is novel about it that requires a security bug filing. Of course a malicious web extension can track you (and worse). Such an extension would violate the addon policies you agree to when you submit them.

Comment 2

[Rob Wu [:robwu]]

Not a security bug. An extension with the right permissions can get access to data/interaction on said domains. This is a feature and not a bug.