Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chromium, the underlining browser engine that powers Opera, is highly customizable as a browser. The developers of the user facing browser can add custom APIs to it. Additionally, browsers have built in extensions that cannot be uninstalled even if you wanted to with special privileges.

The My Flow functionality for the Opera browser is implmented using the Opera Touch Background extension. Only web resources from Opera flow specific domains are allowed to interact with this extension via the chrome.runtime.connect API. The event listener for My Flow has the ability to open, send, and download files. The process of opening a file could result in executables being ran, which is a major issue.

Since these were domain restricted, there are two ways we could go about exploiting this. First, an XSS vulnerability. However, the authors of this post choose a different route - a malicious low privilege extension injecting JavaScript on the domain to execute the payload. Since it's easy to trick users to installing an extension, or compromising an existing one, it's reasonable to assume that this is a viable attack vector.

In both of these cases, there is a problem though - the Content-Security Policy (CSP). This allows for the fine-tuning of what content can be loaded on a page - from images to JavaScript. Additionally, the page contained a sub-resource integrity (SRI) tag. With this feature, they were unable to change in-flight requests, since the content would be different. To be honest, I thought you could just add arbitrary tags to the page from an extension but maybe I'm wrong about that.

To bypass the SRI, they went back to previous versions of the content. To their surprise, they found an older yet live version of the page that didn't contain an SRI! Using this page, they could now inject the JS with arbitrary content and cause havoc.

By calling the SEND_FILE of the private API, we can upload any file to the system, including executables. Then, calling OPEN_FILE will run the executable, giving us code execution. Game over via a malicious extension and a single click of approval.

The actual remediation was not directly stated, which is weird. If I was remediating this I'd put limitations on the file types that can be opened, remove the old HTML pages and then try to come up with further protections for code execution to be impossible. Otherwise, a super interesting finding that can probably be ported to other browsers.