CVE-2022-24522 is a security vulnerability discovered in the Skype extension for Google Chrome. This bug could allow malicious websites to bypass security controls and gain access to sensitive information from your browser, jeopardizing your privacy. Let's break down what this means, how serious it is, and what you can do about it.

The Skype Extension: A Quick Overview

The Skype extension for Chrome lets users quickly initiate Skype calls and chats from their browser. While it's convenient, it also operates with privileges that can, if not carefully handled, expose user data to risks. In early 2022, researchers found a flaw that could allow malicious web pages to exploit the Skype extension and access sensitive data.

How Does the Vulnerability Work?

The core of this vulnerability is in how the Skype extension handles messages and permissions between web pages and its own internal API. Normally, an extension shouldn't trust content coming from arbitrary web pages. But due to improper input validation, the Skype extension did just that.

Malicious Website: An attacker lures a user to visit a specially crafted web page.

2. Improper Validation: This page sends crafted messages or requests to the Skype extension, taking advantage of the trust it wrongly gives to all web content.
3. Unauthorized Access: The Skype extension processes this data and could leak sensitive information, such as authentication tokens, contacts, or even past chat data, back to the malicious site.

Here's an illustrative snippet of what might go wrong in extension code

// Vulnerable message listener in the extension's background script
chrome.runtime.onMessageExternal.addListener(
  function(request, sender, sendResponse) {
    // FLAW: Trusts messages from ALL external origins
    if (request.action === "getUserInfo") {
      sendResponse({ user: localStorage.getItem("skypeUser") });
    }
    // ... more actions
  }
);

// A malicious page could exploit with:
chrome.runtime.sendMessage(SkypeExtensionID, { action: "getUserInfo" }, (response) => {
  console.log(response.user); // Sensitive user data leaked!
});

Proper validation should restrict data access only to trusted origins. This code, unfortunately, didn't.

Manipulate the extension to leak even more information depending on its scope of access.

This attack requires no user interaction beyond visiting a site. No downloads, no popups—you could be compromised just by browsing.

Mitigation and Fix

Microsoft quickly addressed the issue by properly validating the origin of messages and updating the extension.

- Update Your Extension: If you use the Skype extension for Chrome, ensure it's up to date. Chrome extensions update automatically, but you can force an update:
1. Go to chrome://extensions in your browser.

3. Click "Update" to fetch the latest versions.

- Be Careful Online: Avoid visiting suspicious sites, especially if you use browser extensions with sensitive privileges.

References & Further Reading

- Microsoft Security Response Center (MSRC) Advisory
- NVD Entry for CVE-2022-24522
- Chrome Extension Security Best Practices

Conclusion

CVE-2022-24522 is a reminder that even reputable browser extensions can have dangerous flaws. If you use the Skype extension for Chrome (or any browser add-on), keep it updated. Developers should always validate the origin of external messages to prevent similar bugs. Stay safe by being mindful of what you install and where you browse.

If you're interested in extension security or have experienced odd behavior with your Skype Chrome extension, share your story or ask questions below!

Timeline

Published on: 03/09/2022 17:15:00 UTC
Last modified on: 03/15/2022 15:53:00 UTC