Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chromium, the underlining browser engine that powers Edge, is highly customizable. For instance, there is a file called _api_features.json that stores permissions for vendor-specific APIs. Additionally, the resources.pak contains resources for the vendor-specific APIs as well. By comparing this file with the standard Chrome, they found various custom added APIs.

While browsing through these, they found the edgeMarketingPagePrivate API. This API was only accessible from a list of websites belonging to Microsoft, according to the permission model. It was designed to integrate marketing campaigns. How did it do this? It adds in a custom hidden theme, which is similar to an extension. However, they found that, by chance, it also accepted extensions!

To add the theme or extension, the private API had to be called with a specific ID. Since the extension is hidden and permissioned, there is no explicit check from the user that this change is okay.

To exploit this, the authors give a few hypothetical. First, an XSS on any of these domains would lead to the installation of an arbitrary extension that was very, very highly permissioned. The other method was that another extension could add the JS snippet to one of the domains to trigger the update. This would go from a low to a high privilege extension, just with a little JavaScript.

To fix the issue, extension IDs and only themes are allowed to be provided. To me, this feels like the underlying Chrome API to add this extension shares functionality between the themes and extensions but just an assumption. The authors mention that a simply domain based restriction on sensitive functionality is not enough to restrict bad things from happening, which I tend to agree with. Good find!