Chrome Universal XSS using an intercepted native function (CVE-2016-1672)

ID SSV:93023
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00



The fix for the issue 546677 is insufficient to protect against overriding the internal extensions code -- it is still possible to take over the built-in extension system with a combination of getters and setters. This allows web content to gain access to native functions that may be misused, for example |user_gestures. RunWithUserGesture| can be leveraged to create new pages at an arbitrary javascript execution point, effectively bypassing ScopedPageLoadDeferrer.


Chrome 48.0.2564.116 (Stable)
Chrome 49.0.2623.64 (Beta)
Chrome 50.0.2657.0 (Dev)
Chromium 50.0.2660.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1672