Researcher discovers vulnerability in Chrome that allows him to disable extensions without user’s interactionProof of Concept (P0C)Chrome patch
He has stated on his website, Detectify Labs that he exploited a vulnerability in HTTPS Everywhere. He said that he first started investigating the source code to HTTPS Everywhere hoping to find some bug but was disappointed. After some testing, he realized that the best way to make a user unknowingly access the URI handler is to set up a HTML page with PoC javascript that will send out a request to the browser. Almost all the requests to load the “chrome-extension” URI were blocked by the browser, but requests issued via the “ping” attribute were allowed.
Proof of Concept (P0C)
This is the PoC (proof of concept) combining the discoveries that would disable HTTPS Everywhere by just rendering the HTML: Aftermath of rendering that HTML:
Chrome patch
Karlsson said that he informed Google about the vulnerability of the Chrome to mishandle HTTPS Everywhere requests and found out that the bug had already been discovered by another security researcher in a separate report. Google had taken cognizance of the bug and it has been fixed in the latest stable version of the Chrome. The blogpost does not mention the version number of the stable version of Chrome so it can assumed that, Karlsson is talking about Chrome 44.0.2403.125 (Platform version: 7077.111.0) which was released just a few days back. This build contains a number of bug fixes and security updates, a partial list of which is available here. However, older versions of Chrome may still be vulnerable to this exploit.