The issue is caused by the way extensions validate permissions when installing new versions. If you have installed an extension which has given itself a new permission, it is possible that the extension has updated itself without prompting the user and now has access to data which it was not previously given. To be vulnerable, the extension must have given itself a new permission. For example, an extension may have been installed which gives the user an option to share any data on any website. If the extension then gives itself the permission to read the data on any website, it is possible that the extension has updated itself without the user even being aware. The best way to avoid this issue is to install extensions which have been specifically audited and have been given permission by the developer to have access to the data they need. End users need to be cautious when installing extensions which have been given permission to access data they do not have access to.

How to fix this?

This issue can be fixed by the extension developer. The developer needs to reinstate the permission that the extension was originally given. If the permission was removed unintentionally, there are a few steps that can be taken:
1) Running "chrome://extensions" will show all of your extensions being installed on your computer. This is where you would need to find out which extension has been causing this issue and then uninstall it.
2) Navigating to chrome://settings/manage/ extensions  and selecting the offending extension will show you a list of permissions which have been granted to it, including “access private browsing data”. Go through this list and remove any permissions which weren’t originally given to the extension.
3) Navigating to chrome://extensions/ will show you all of your extensions installed on your computer (extensions which are currently installed are highlighted in green). Double-click on an individual extension and navigate down to “permissions” where you should see its accesses listed, one of them being for “reading data from other sites”. Remove this permission if it wasn't originally given to the extension.

Common pitfalls when installing extensions

As with any security issue, it is important to install extensions with caution. One common error occurs when an extension asks for permission to access data that the user does not have access to. For example, if an app allows the user to share data on any website, then gives itself permission to read that data, it is possible that the extension has updated itself without the user's knowledge. This can lead to a compromise in security and privacy.

CVE-2023-22830

The issue is caused by the way extensions validate permissions when installing new versions. If you have installed an extension which has given itself a new permission, it is possible that the extension has updated itself without prompting the user and now has access to data which it was not previously given. To be vulnerable, the extension must have given itself a new permission. For example, an extension may have been installed which gives the user an option to share any data on any website. If the extension then gives itself the permission to read the data on any website, it is possible that the extension has updated itself without the user even being aware. The best way to avoid this issue is to install extensions which have been specifically audited and have been given permission by the developer to have access to the data they need. End users need to be cautious when installing extensions which have been given permission to access data they do not have access to.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 23:06:00 UTC

References