Chrome vulnerability can be exploited to disable extensions without any user interaction

Researcher discovers vulnerability in Chrome that allows him to disable extensions without user’s interaction

Security researcher, Mathias Karlsson has discovered an unique vulnerability Google Chrome that can be exploited to disable Chrome extensions without user’s interaction.

He has stated on his website, Detectify Labs that he exploited a vulnerability in HTTPS Everywhere.

“During the last few weeks I’ve been looking at the security of some popular security extensions and one of the extensions that I checked out (which I also use myself) was HTTPS Everywhere. After some hours of analysis I managed to disable it by just viewing a HTML page. In fact, I managed to disable any extension and most (including HTTPS Everywhere) without any user interaction!”

He said that he first started investigating the source code to HTTPS Everywhere hoping to find some bug but was disappointed.

“I started by examining the source code to HTTPS Everywhere, hoping to find some easy miss in the ‘Block all HTTP requests”’ implementation, but to no avail,” Karlsson explained in a blog post.  “After a while, I discovered (to my surprise) that by just accessing the extension using the ‘chrome-extension”’ URI handler, extension was disabled. In fact, this didn’t only work on the HTTPS Everywhere extension, but all Chrome extensions I tested!”

After some testing, he realized that the best way to make a user unknowingly access the URI handler is to set up a HTML page with PoC javascript that will send out a request to the browser. Almost all the requests to load the “chrome-extension” URI were blocked by the browser, but requests issued via the “ping” attribute were allowed.

“The ‘ping’ attribute, if present, sends the URLs of the resources a notification/ping if the user follows the hyperlink,” he explained. “This meant that we could disable an extension by simply clicking a link which is very feasible for an attack.”

Proof of Concept (P0C)

This is the PoC (proof of concept) combining the discoveries that would disable HTTPS Everywhere by just rendering the HTML:

<a ping="chrome-extension://gcbommkclmclpchllfjekcdonpmejbdp/" id="link"></a><script>link.click()</script>

Aftermath of rendering that HTML:

Chrome patch

Karlsson said that he informed Google about the vulnerability of the Chrome to mishandle HTTPS Everywhere requests and found out that the bug had already been discovered by another security researcher in a separate report. Google had taken cognizance of the bug and it has been fixed in the latest stable version of the Chrome.

The blogpost does not mention the version number of the stable version of Chrome so it can assumed that, Karlsson is talking about Chrome 44.0.2403.125 (Platform version: 7077.111.0) which was released just a few days back.  This build contains a number of bug fixes and security updates, a partial list of which is available here.

However, older versions of Chrome may still be vulnerable to this exploit.