Security: A compromised renderer process is able to spoof a content script message
A compromised renderer process is able to spoof a content script message and perform sensitive actions, e.g., add a custom filter.
A compromised renderer process can spoof a content script message and an extension should validate and sanitize the message[1][2]. However, the message handlers don't check whether the message came from a content script or an extension page and validate it.
For instance, a message of type filters.add
should only come from the extension page, but it also accepts messages from a content script (https://gitlab.com/eyeo/adblockplus/abpui/adblockplusui/-/blob/9abbd5083d4a2c8a271f5a3de3015282a1aa5529/adblockpluschrome/lib/filterConfiguration.js#L291). As a result, when a user of the extension visits a malicious page with a renderer bug, it may add a custom filter.
Since ABP doesn't allow rewriting to an external URL or inserting arbitrary script or CSS, its impact seems to be limited.
[1] https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/compromised-renderers.md
[2] https://developer.chrome.com/docs/extensions/mv3/security/#content_scripts
Environment
- OS version: Windows 11
- Browser version: Chrome 98
- Extension version: Adblock Plus 3.12, AdBlock 4.43.0 (It seems the latter depends on the same code. Should I report the issue to AdBlock too?)
- Last working version: N/A
Steps to reproduce
- Install Adblock Plus extension (https://chrome.google.com/webstore/detail/adblock-plus-free-ad-bloc/cfhdojbkjhnklbpkdaibdccddilifddb).
- Open any page (e.g., https://example.com) and open DevTools Console.
- To simulate a compromised renderer, change the JavaScript context to Adblock Plus and run
chrome.runtime.sendMessage({type: "filters.add", text: "google.com#$#log Hello"})
. - Visit https://google.com and open DevTools Console.
Observed behavior
A custom filter has been added and "Hello" is logged to the console.
Expected behavior
A custom filter should not be added.
Proposed fix
Limit the scope of privileged actions that can be triggered by content scripts.
Further information
As other ad blockers may have similar vulnerability, I kindly ask to defer making this bug public.
Hints for testers
- Block element feature should continue to work as expected.
- Clicking on a subscribe link should show the confirmation dialog in the desktop settings page, regardless of whether the page is open already.
- The following UI pages should initialize without any obvious breakage:
- Desktop settings page
- Developer tools panel
- Icon popup