XSS in Gmail through Rapportive (opens in new tab)

(blog.kotowicz.net)

110 pointsxSwag12y ago13 comments

13 comments

12 comments · 8 top-level

troels12y ago· 3 in thread

Wow, that's scary stuff.

I guess the lesson here is to only use extensions from vendors where you have absolute confidence in their capabilities or from popular open source projects (Basically the same thing).

Morgawr12y ago

Honestly, I'd rather just not use extensions at all. They've proven insecure in the past and will probably be insecure in the future. Even if they come from a trusted vendor, that won't mean that it won't be compromised.

Are all these extensions that "prettify" our browsing experience all this necessary? Some, maybe (HTTPS everywhere, Ghostery, NoScript, etc etc), but most of them aren't. I personally prefer to keep my browser clean, it's even more responsive this way.

hamburglar12y ago

Agreed. I read "extension that alters or scrapes pages you visit" and I hear "quick and dirty hack that does nearly-blind poking around in a foreign DOM tree that could change at any time." It doesn't exactly inspire confidence that someone who would rely on such a fragile technique would put a ton of thought into security.

notatoad12y ago

What i'd like to see, and as far as i know it doesn't exist in any browser, is a way to prevent any extensions from running on certain sites. I want some things like adblock installed for general browsing, but there's no reason i need it running on my email, my banking, my employer's control panel. I can white-list sites inside of extensions, but that still leaves me trusting the extension to properly implement their white-listing feature. I'd much rather have chrome managing a list of sites where the extension doesn't get to run at all.

2 more replies

RyanZAG12y ago· 1 in thread

Yeah so I'm uninstalling every plugin/extension I have that I don't absolutely trust. I'd recommend you do the same.

arkitaip12y ago

It's not a question of trust but competence, and that's practically impossible to evaluate as an end user.

borski12y ago

This type of thing is all too common. We wrote about a worse case last year where an extension XSS'd quite literally the entire internet: https://www.tinfoilsecurity.com/blog/building-a-browser-exte...

The scariest thing here is that you have arbitrary code execution, so your options are limitless. Check out XSS Harvest: https://github.com/Miserlou/XSS-Harvest

ufmace12y ago

Interesting. Looks like the most potentially dangerous extensions are the ones pulling stuff from other websites to inject into the current site, and ones doing text processing/conversion on document contents. I don't have any extensions that do that, so hopefully I'm safe...

driverdan12y ago

Security problems like this are so common in 3rd party extensions / plugins / add-ons. While the most widely used open source ones tend to have less bugs many of the less popular ones are full of problems. Take a look at WordPress plugins to see what I mean.

iggyhop12y ago

rapportive is a quite versatile tool... http://jordan-wright.github.io/blog/2013/10/14/automated-soc...

yeukhon12y ago

See this talk: https://www.usenix.org/conference/usenixsecurity12/evaluatio...

skillcode12y ago

great find :)

j / k navigate · click thread line to collapse