CVE-2022-1137 Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker to leak sensitive information if they convinced a user to install a malicious extension.

An attacker could use extensions to send data to a remote server or to execute arbitrary code with the privileges of the user running the browser. Google recommends installing only extensions from the Chrome Web Store and using caution when installing extensions from sources other than the Chrome Web Store. Google has rated all extensions installed on Chrome prior to version 100.0.4896.60 as ‘Unsafe’ and will prompt a user to upgrade them to a more trusted state. In this case, Google has rated all extensions as ‘Unsafe’ with the exception of the one used in this example. A user who is prompted to upgrade an ‘Unsafe’ extension to a ‘Trusted’ extension will have the option to do so.

Vulnerability Summary

A vulnerability in the Chrome Web Store has caused Google to put all extensions at risk for compromise. Vulnerabilities such as this one have made headlines in recent years because they can allow attackers to access personal information, launch attacks on computer systems, or steal money from online banking accounts.
This vulnerability is rated as a "High" severity and could allow attackers to take over your browser with no authentication or authorization.

Vulnerable Code: Chrome Extension Wrapper Class

The following code creates a Chrome extension using the Chrome Extension Wrapper Class.

function onInstall() { chrome.extension.create({ "name": "Example Extension", "version": "1.0", "description": "Example extension description.", });
} function onUninstall() { chrome.extension.uninstall(this); }
function onRequestCustomization(requestType, request) { var customizations = [{ "name": "Require SSL", "value": true }, { "name": "Enable Customize Button", "value": false }]; return customizations; }

Google has rated all extensions installed on Chrome prior to version 100.0.4896.60 as ‘Unsafe’

The extensions were rated as unsafe, with the exception of one that was used in this example and installed on a different device than the machine running Chrome. Google has informed users when extensions are submitted for review and has provided an extension-specific status page for each extension.

Vulnerability Discovery and Exploit

Google Chrome is widely used and spreads quickly through internet newsgroups. As a result, malicious actors can use extensions to take advantage of vulnerabilities in order to harm individuals and organizations. For example, an attacker might use the CVE-2022-1137 vulnerability to send data to a remote server or execute arbitrary code with the privileges of the user running the browser.

Timeline

Published on: 07/23/2022 00:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC

References

• https://crbug.com/1289846
• https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
• https://security.gentoo.org/glsa/202208-25
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1137