Coordinated Disclosure Timeline
- 2024-02-09: Contacted support email zimocode@gmail.com. No response.
- 2024-03-15: Github repo moved to archived and read only. Assume maintainer has stopped supporting product.
- 2024-05-22: Contacted Microsoft Extension Add On Store to remove extension from Microsoft Store.
Summary
A universal XSS is present in the Edge and Firefox versions of Smartup, allowing another extension to execute arbitrary code in the context of the user’s tab.
Project
smartup
Tested Version
Details
Universal XSS in Smartup (GHSL-2024-011)
The smartup gestures extension receives messages from external extensions without checking the identity of the sender. The external input is then sent to funOnMessage, which calls executeScript on the external message with the context of the current tab.
chrome.runtime.onMessageExternal.addListener(function(message,sender,sendResponse){
sub.funOnMessage(message,sender,sendResponse); <----- message is user controlled
})
...
case"apps_test":
let _fun=function(){
if(message.appjs){
chrome.tabs.executeScript({code:"sue.apps['"+message.apptype+"'].initUI();",runAt:"document_start"}); <----- message is passed into executeScript
return;
}
A malicious extension may be able to run arbitrary javascript in the context of a user’s tab, compromising accounts that the user logins into.
This vulnerability was found with the help of CodeQL.
Impact
This issue may lead to Universal XSS
CVE
- CVE-2024-49378
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-011 in any communication regarding this issue.