Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Extensions within the Chrome browser are immensely important for building out the correct functionality. However, these extensions have incredible capabilities compared to the standard web page. These APIs for the extensions must be secure to ensure that no privilege escalation can occur.

The extension debugger API allows for debugging an extension during the development phase. When a tab is connected to this, it starts by navigating to a URL to see if the debugger is allowed to attach to the new URL. Of course, this needs to have the proper permissions to do so.

If you try to attach to webui, then the debugging session should be terminated. Once this happens, the onDetach event triggers. I assume that webui is a general term for web pages, with some of the pages within Chrome being more privileged than others.

The bug is that during the onDetach event being triggered on the termination of the API, the re-attach can occur on the tab. The author believes this happens because the URL has change on the tab has not been committed yet, which results in the permission check failing. Instead of looking at the webui URL on the tab, it looks at the original one, which has different permissions.

Why is this bad? If you can hit the debugger API, then you can add code into the page. By doing this on a privileged page, a serious privilege escalation could occur. This could even be used to execute commands on the device.

Overall, this is an interesting bug that comes down to a subtle logic issue. Sometimes, dynamic testing and trying out random things is the only way to find issues.