Security News > 2020 > September > Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions
A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.
Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions - he has not named the impacted API due to the fact that Google hasn't mentioned it either in its release notes.
Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.
The medium-severity issue, the researcher says, can be exploited by a malicious extension to read the content of local files, which an extension is normally not allowed to do without the user's explicit permission.
The Chrome 85 update that patches these vulnerabilities also addresses an out-of-bounds read issue in storage, for which an unnamed hacker earned $15,000, and an insufficient policy enforcement issue for which researchers Leecraso and Guang Gong of 360 Alpha Lab earned $10,000.
News URL
Related news
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Cookie-Bite attack PoC uses Chrome extension to steal session tokens (source)
- Airplay-enabled devices open to attack via “AirBorne” vulnerabilities (source)
- Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks (source)