Google Note: This vulnerability was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017. There is no active trust associated with the Tavis Ormandy. This information is provided as-is with the understanding that it comes with no warranties, may be inaccurate or incomplete, and is not intended as security advice. Before installing any extensions, users should review the permissions requested by the extension and consider whether or not they are necessary.
Summary of Vulnerability
A vulnerability in the Chrome browser was disclosed on 08/12/2017 that allows an attacker to take advantage of a cross-site scripting (XSS) vulnerability. The vulnerability is due to improper sanitization of input when using the "clipboard" and "mark as read" features, which could allow an attacker to steal cookies or perform arbitrary code execution by exploiting the XSS vulnerability.
This vulnerability is classified as critical by Google.
Problem
Today, Google Chrome released a new extension that catches malicious vulnerabilities. The Chrome Web Store is full of extensions that can help users browse the web with more security. But, one extension caught our attention because it outed a vulnerability we already knew about.
The vulnerable extension was called "CVE-2022-1864". This name is not just made up; it refers to a vulnerability in Cloudflare's TLS 1.3 implementation and was disclosed by Tavis Ormandy of the Google Security Team on Dec 8, 2017.
Overview of the CVE-2022-1864 Vulnerability
Security researchers have discovered a vulnerability in Google Chrome and other browsers: CVE-2022-1864. This vulnerability allows JavaScript code running on a malicious website to access data that is not normally accessible on the browser, including passwords and cookies. It affects Google Chrome versions 52, 53, and 54 and can be exploited by websites as well as extensions.
Timeline
Published on: 07/27/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:17:00 UTC