Security News > 2020 > September > Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions

Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions
2020-09-26 11:28

A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.

Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions - he has not named the impacted API due to the fact that Google hasn't mentioned it either in its release notes.

Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.

The medium-severity issue, the researcher says, can be exploited by a malicious extension to read the content of local files, which an extension is normally not allowed to do without the user's explicit permission.

The Chrome 85 update that patches these vulnerabilities also addresses an out-of-bounds read issue in storage, for which an unnamed hacker earned $15,000, and an insufficient policy enforcement issue for which researchers Leecraso and Guang Gong of 360 Alpha Lab earned $10,000.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/RWml8V6SejM/chrome-vulnerabilities-expose-users-attacks-malicious-extensions