Chrome extensions easily disabled without user interaction
Independent researcher Mathias Karlsson has discovered a vulnerability that can be exploited to disable Chrome extensions without user interaction.
Apparently, the bug has already been discovered and shared with Google in a separate report, and has already been fixed in the latest stable version of the popular browser.
“I started by examining the source code to HTTPS Everywhere, hoping to find some easy miss in the ‘Block all HTTP requests”’ implementation, but to no avail,” Karlsson explained in a blog post.
“After a while, I discovered (to my surprise) that by just accessing the extension using the ‘chrome-extension”’ URI handler, extension was disabled. In fact, this didn’t only work on the HTTPS Everywhere extension, but all Chrome extensions I tested!”
After some testing, he realized that the best way to make a user unknowingly access the URI handler is to set up a HTML page with PoC javascript that will send out a request to the browser.
Most request sto load the “chrome-extension” URI were blocked by the browser, but requests issued via the “ping” attribute were not.
“The ‘ping’ attribute, if present, sends the URLs of the resources a notification/ping if the user follows the hyperlink,” he explained. “This meant that we could disable an extension by simply clicking a link which is very feasible for an attack.”