Chrome extensions easily disabled without user interaction
Independent researcher Mathias Karlsson has discovered a vulnerability that can be exploited to disable Chrome extensions without user interaction.
Apparently, the bug has already been discovered and shared with Google in a separate report, and has already been fixed in the latest stable version of the popular browser.
“I started by examining the source code to HTTPS Everywhere, hoping to find some easy miss in the ‘Block all HTTP requests”’ implementation, but to no avail,” Karlsson explained in a blog post.
“After a while, I discovered (to my surprise) that by just accessing the extension using the ‘chrome-extension”’ URI handler, extension was disabled. In fact, this didn’t only work on the HTTPS Everywhere extension, but all Chrome extensions I tested!”
Most request sto load the “chrome-extension” URI were blocked by the browser, but requests issued via the “ping” attribute were not.
“The ‘ping’ attribute, if present, sends the URLs of the resources a notification/ping if the user follows the hyperlink,” he explained. “This meant that we could disable an extension by simply clicking a link which is very feasible for an attack.”