Wladimir Palant: Breaking Custom Cursor to p0wn the web |
Browser extensions make attractive attack targets. That’s not necessarily because of the data handled by the extension itself, but too often because of the privileges granted to the extension. Particularly extensions with access to all websites should better be careful and reduce the attack surface as much as possible. Today’s case study is Custom Cursor, a Chrome extension that more than 6 million users granted essentially full access to their browsing session.
The attack surface of Custom Cursor is unnecessarily large: it grants custom-cursor.com website excessive privileges while also disabling default Content Security Policy protection. The result: anybody controlling custom-cursor.com (e.g. via one of the very common cross-site scripting vulnerabilities) could take over the extension completely. As of Custom Cursor 3.0.1 this particular vulnerability has been resolved, the attack surface remains excessive however. I recommend uninstalling the extension, it isn’t worth the risk.
The Custom Cursor extension will let you view cursor collections on custom-cursor.com website, installing them in the extension works with one click. The seamless integration is possible thanks to the following lines in extension’s manifest.json file:
"externally_connectable": {
"matches": [ "*://*.custom-cursor.com/*" ]
},This means that any webpage under the custom-cursor.com domain is allowed to call chrome.runtime.sendMessage() to send a message to this extension. The message handling in the extension looks as follows:
browser.runtime.onMessageExternal.addListener(function (request, sender, sendResponse) {
switch (request.action) {
case "getInstalled": {
...
}
case "install_collection": {
...
}
case "get_config": {
...
}
case "set_config": {
...
}
case "set_config_sync": {
...
}
case "get_config_sync": {
...
}
}
}.bind(this));
This doesn’t merely allow the website to retrieve information about the installed icon collections and install new ones, it also provides the website with arbitrary access to extension’s configuration. This in itself already has some abuse potential, e.g. it allows tracking users more reliably than with cookies as extension configuration will survive clearing browsing data.
Originally I looked at Custom Cursor 2.1.10. This extension version used jQuery for its user interface. As noted before, jQuery encourages sloppy security practices, and Custom Cursor wasn’t an exception. For example, it would create HTML elements by giving jQuery HTML code:
collection = $(
`${collname}">
${item.name}
${collname}">
With collname being unsanitized collection name here, this code allows HTML injection. A vulnerability like that is normally less severe for browser extensions, thanks to their default Content Security Policy. Except that Custom Cursor doesn’t use the default policy but instead:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",This 'unsafe-eval' allows calling inherently dangerous JavaScript functions like eval(). And what calls eval() implicitly? Why, jQuery of course, when processing a
https://palant.info/2021/09/28/breaking-custom-cursor-to-p0wn-the-web/
| Комментировать | « Пред. запись — К дневнику — След. запись » | Страницы: [1] [Новые] |
