-
-
Replying to @hanno
the bug does not say if frame.html is in the content or background page. The least you can do is to hijack the extension.
1 reply 0 retweets 1 like -
if in the content script you have an XSS on every site it runs. It depends on the Manifest of the extension where it runs.
1 reply 0 retweets 1 like -
furthermore you can have authenticated cross-domain XHRs to all sites the manifest allows (basically CSRF)
1 reply 0 retweets 1 like -
in the content script you only have a limited set of extension APIs. In the background page it would be worse.
1 reply 0 retweets 1 like -
turning it into code execution is non trivial and would require you to have an injection into a "magic" origin.
2 replies 0 retweets 0 likes -
ah wait, tavis opens the page via a chrome-extension URI. So the XSS runs in a privileged URI scheme.
1 reply 0 retweets 0 likes -
in some Chrome URI schemes you can get code exec via XSS. But I am not sure about chrome-extension.
1 reply 0 retweets 0 likes -
I'd be surprised if that's possible from chrome-extension:, because it would allow any extension to elevate privileges.
1 reply 0 retweets 0 likes -
any extension can do things like navigating to file: URIs
1 reply 0 retweets 0 likes
and in this case, the extension also has the ability to inject code into any http or https page afaics in the manifest
-
-
so afaics in this case it's UXSS on http and https, plus ability to load file:// URIs and some other special stuff
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.