mesolido
commented
4 years ago @dragouf do you mind saying a few words about this. If you want I can also share my private email address for that
Closed mesolido closed 4 years ago
mesolido
commented
4 years ago @dragouf do you mind saying a few words about this. If you want I can also share my private email address for that
dragouf
commented
4 years ago Sorry @mesolido, I don't maintain anymore this code. I'm not surprised about that since I had to remove URL restriction from manifest and I had no alternative at this time. People who want to secure the extension can clone the code and had URL constraints in the manifest. If you have a solution to fix it quickly I let you do a PR. About the ticket, I closed it to avoid exposing too much what you wrote since I don't have time to fix it.
mesolido
commented
4 years ago @dragouf sure I understand. I am willing to help fix the issue. Unfortunately I do not understand what the extension is doing. But from what I have read, it seems that you want the extension to interact with pages such as bitbucket.org, atlassian.com and self-hosted bitbucket servers. If this is right, you could reduce by default the origins to bitbucket and atlassian, and additionally offer a settings page where the user can define a list of additional origins (for the self-hosted bitbucket servers) where the extension should be active. If this is how the extension should work, I can do a PR and submit the new code to you
dragouf
commented
4 years ago Yes, so originally it was done in the manifest file, but when I decided to share it I removed it and didn't add a setting page to let the user set it by himself. anyway, thanks for the information and your help. If you have time for the PR it is welcome, if not I will see what I can do when I have time.
mesolido
commented
4 years ago @dragouf I have created a fork and a pull request where I does exactly what we were discussing.
dragouf
commented
4 years ago @mesolido thanks a lot for your work. I will merge it and deploy it on the store as soon as I can
Dear extension developer,
We are scientific researchers at CISPA in Germany. We are contacting you to disclose the results of a study we have performed on browser extensions.
We found that your Chrome extension Stash Extension [ https://chrome.google.com/webstore/detail/stash-extension/kpgdinlfgnkbfkmffilkgmeahphehegk ] presents the following vulnerability.
Your extension allows any webpage to make remote requests to any web server on behalf of the user, and retrieve sensitive information from there. In particular, if the user is logged into a sensitive website such as her mail provider, social network websites, bank websites or any website (Gmail, Twitter, Facebook, Instagram, etc.), any (malicious) webpage can use your extension to connect to those websites and retrieve sensitive information from them.
To summarize, your extension can be exploited by any (malicious) web page in order to affect the security and privacy of potentially sensitive data (websites data) of the users of your extension.
We have built a proof-of-concept, accessible at https://swag.cispa.saarland/extension_pocs/kpgdinlfgnbpo9tfa06p/ where we explain and demonstrate how your extension is vulnerable, how attackers can exploit it, and what kind of sensitive user data it can leak to the attackers. Please feel free to contact us if you need more input from us regarding the proof-of-concept.
Finally, we would be very happy to hear back from you, in order to incorporate your feedback (anonymized) in our research paper. In particular, can you confirm the vulnerabilities? Have you/will you address them in the near future? Do you have further comments ? Of course, be assured that we are not going to publicly release the exploits we are sharing with you.
Best regards, CISPA Researchers