Reported by rob@robwu.nl, Apr 19 2016
Chrome version: 50.0.2661.75 (and still present on current HEAD, 52.0.2713.0)
The SchemaRegistry stores extension API schemas in a single v8::Context that lives until the RenderThread (=process?) is destroyed. Due to vulnerabilities in binding.js, these objects can be intercepted by malicious web pages. Since the object is persistent, this allows attackers to perform universal XSS in all frames and tabs that share this RenderThread (=process?).
See the attached proof of concept that shows an alert dialog on encrypted.google.com (in a frame, same tab or new tab).
The only requirements for exploitation are:
- User should load attacker's page (e.g. via an advert in a frame).
- The victim page (or a content script) accesses a property of the "chrome" object. In my exploit, I only hooked "chrome.runtime", but the method can be applied to any Chrome API.
- The target page is loaded in the same process (e.g. by loading the victim pages in a frame, or by following links).
Clearly, this is easy to exploit so it should be fixed ASAP.
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=604901