Breaking Microsoft Edge Extensions Security Policies

Nikhil Mittal

Playlists: '36c3' videos starting here / audio

Browsers are the ones who handle our sensitive information. We entirely rely on them to protect our privacy, that’s something blindly trusting on a piece of software to protect us. Almost every one of us uses browser extensions on daily life, for example, ad-block plus, Grammarly, LastPass, etc.

But what is the reality when we talk about security of browser extensions.

Every browser extensions installed with specific permissions, the most critical one is host access permission which defines on which particular domains your browser extension can read/write data.

You might already notice the sensitivity of host permissions since a little mistake in the implementation flow would lead to a massive security/privacy violation.

You can think of this way when you install an extension that has permission to execute JavaScript code on https://www.bing.com, but indeed, it allows javaScript code execution on https://mail.google.com. Which means this extension can also read your google mail, and this violates user privacy and trust.

During the research on edge extensions, we noticed a way to bypass host access permissions which means an extension which has permission to work on bing.com can read your google, facebook, almost every site data.

we noticed using this flow we can change in internal browser settings, Further, we ware able to read local system files using the extensions. Also in certain conditions, it allows you to execute javaScript on reading mode which is meant to protect users from any javaScript code execution issues.

This major flaw in Microsoft Edge extension has been submitted responsibly to the Microsoft Security Team; as a result, CVE-2019-0678 assigned with the highest possible bounty.

Outline

1. Introduction to the browser extension
This section is going to cover what is browser extensions, and examples of browser extensions that are used on a daily basis.

2. Permission model in browser extensions
This section details about the importance of manifest.json file, further details about several permissions supported by edge extensions and at last it describes different host access permissions and the concept of privileged pages in browsers.

3. Implementation of sample extension
In this section, we will understand the working of edge extensions and associated files.

4. Playing with Tabs API
This section includes the demonstration of loading external websites, local files and privileged pages using the tabs API.

5. Forcing edge extensions to load local files and privileged pages
Here we will see how I fooled edge extensions to allow me to load local files and privileged pages as well.

6. Overview of javascript protocol
This section brief about the working and the use of JavaScript protocol.

7. Bypassing host access permission
The continuing previous section, here we will discuss I was able to bypass host access permission of edge extensions using the javascript URI’s.

8. Stealing google mails
Once we bypassed the host access permission, we will discuss how edge extension can read your Google emails without having permission.

9. Stealing local files
The continuing previous section, here we will discuss how an edge extension can again escalate his privileges to read local system files.

10. Changing internal edge settings
This section details how I was able to change into internal edge settings using edge extensions, this includes enabling/disabling flash, enabling/disabling developer features.

11. Force Update Compatibility list
This section details how an extension can force update Microsoft compatibility list

12. javascript code execution on reading mode?
Here we will dicuss about the working of reading mode and CSP issues associated with it.

13. Escalating CSP privileges.
This section describes how edge extensions provides more privilages to the user when dealing with content security policy

Download

These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.

Embed

Share:

Tags