Google Note: This vulnerability was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017. There is no active trust associated with the Tavis Ormandy. This information is provided as-is with the understanding that it comes with no warranties, may be inaccurate or incomplete, and is not intended as security advice. Before installing any extensions, users should review the permissions requested by the extension and consider whether or not they are necessary.
Summary of Vulnerability
A vulnerability in the Chrome browser was disclosed on 08/12/2017 that allows an attacker to take advantage of a cross-site scripting (XSS) vulnerability. The vulnerability is due to improper sanitization of input when using the "clipboard" and "mark as read" features, which could allow an attacker to steal cookies or perform arbitrary code execution by exploiting the XSS vulnerability.
This vulnerability is classified as critical by Google.
Today, Google Chrome released a new extension that catches malicious vulnerabilities. The Chrome Web Store is full of extensions that can help users browse the web with more security. But, one extension caught our attention because it outed a vulnerability we already knew about.
The vulnerable extension was called "CVE-2022-1864". This name is not just made up; it refers to a vulnerability in Cloudflare's TLS 1.3 implementation and was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017.
Overview of the CVE-2022-1864 Vulnerability