Chrome extensions crocked with simple attack

Posted on

Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page.

Karlsson (@avlidienbrunn) says the vulnerability patched and pushed into the latest stable edition of Chrome allows users to be targeted without requiring intervention.

“After some hours of analysis I managed to disable it (HTTPS Everywhere) by just viewing a HTML page,” Karlsson says.

“In fact, I managed to disable any extension and most without any user interaction.”

Karlsson published a proof-of-concept attack that will disable HTTPS Everywhere by corrupting it.

The flaw does not reside in the extension and affects users who have not applied automatic Chrome updates.

Chrome extensions crocked with simple attack
Chrome extensions crocked with simple attack

Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page.

Karlsson (@avlidienbrunn) says the vulnerability patched and pushed into the latest stable edition of Chrome allows users to be targeted without requiring intervention.

“After some hours of analysis I managed to disable it (HTTPS Everywhere) by just viewing a HTML page,” Karlsson says.

“In fact, I managed to disable any extension and most without any user interaction.”

Karlsson published a proof-of-concept attack that will disable HTTPS Everywhere by corrupting it.

The flaw does not reside in the extension and affects users who have not applied automatic Chrome updates.

Fuente:http://www.theregister.co.uk/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s