Security News > 2020 > September > Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions
A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.
Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions - he has not named the impacted API due to the fact that Google hasn't mentioned it either in its release notes.
Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.
The medium-severity issue, the researcher says, can be exploited by a malicious extension to read the content of local files, which an extension is normally not allowed to do without the user's explicit permission.
The Chrome 85 update that patches these vulnerabilities also addresses an out-of-bounds read issue in storage, for which an unnamed hacker earned $15,000, and an insufficient policy enforcement issue for which researchers Leecraso and Guang Gong of 360 Alpha Lab earned $10,000.
News URL
Related news
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data (source)
- Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited (source)
- Israel’s Pager Attacks and Supply Chain Vulnerabilities (source)
- CUPS vulnerabilities could be abused for DDoS attacks (source)