On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/ I can see from the webstore statistics it's already got ~30M installations. It didn't take long to notice there's a DOM XSS in data/js/frame.html ``` 531 } else if (request.current_status === "failure") { 532 analytics(events.TREFOIL_HTML_CONVERT_FAILED); 533 if (request.message) { 534 str_status = request.message; 535 } 536 success = false; ``` Presumably you can do ``` window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({ panel_op: "status", current_status: "failure", message: "<h1>hello</h1>" }))); ``` I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot...
On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/ I can see from the webstore statistics it's already got ~30M installations. It didn't take long to notice there's a DOM XSS in data/js/frame.html ``` 531 } else if (request.current_status === "failure") { 532 analytics(events.TREFOIL_HTML_CONVERT_FAILED); 533 if (request.message) { 534 str_status = request.message; 535 } 536 success = false; ``` Presumably you can do ``` window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({ panel_op: "status", current_status: "failure", message: "<h1>hello</h1>" }))); ``` I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc. I've also noticed the way they've designed the "to_html" RPC seems racy, the url of a tab might change (because an attacker can do x = window.open(); x.location = "new location"). Right now I don't think you can do very much with it because it doesn't seem to be feature complete...but still, it seems worth noting this so it doesn't introduce a vulnerability when they enable it.
