Session
Fahrplan - Hauptprogramm 36C3
Security

Breaking Microsoft Edge Extensions Security Policies

Eliza
Nikhil Mittal
Browsers are the ones who handle our sensitive information. We entirely rely on them to protect our privacy, that’s something blindly trusting on a piece of software to protect us. Almost every one of us uses browser extensions on daily life, for example, ad-block plus, Grammarly, LastPass, etc.

But what is the reality when we talk about security of browser extensions.

Every browser extensions installed with specific permissions, the most critical one is host access permission which defines on which particular domains your browser extension can read/write data.

You might already notice the sensitivity of host permissions since a little mistake in the implementation flow would lead to a massive security/privacy violation.

You can think of this way when you install an extension that has permission to execute JavaScript code on https://www.bing.com, but indeed, it allows javaScript code execution on https://mail.google.com. Which means this extension can also read your google mail, and this violates user privacy and trust.

During the research on edge extensions, we noticed a way to bypass host access permissions which means an extension which has permission to work on bing.com can read your google, facebook, almost every site data.

we noticed using this flow we can change in internal browser settings, Further, we ware able to read local system files using the extensions. Also in certain conditions, it allows you to execute javaScript on reading mode which is meant to protect users from any javaScript code execution issues.

This major flaw in Microsoft Edge extension has been submitted responsibly to the Microsoft Security Team; as a result, CVE-2019-0678 assigned with the highest possible bounty.

Outline

1. Introduction to the browser extension This section is going to cover what is browser extensions, and examples of browser extensions that are used on a daily basis.

2. Permission model in browser extensions This section details about the importance of manifest.json file, further details about several permissions supported by edge extensions and at last it describes different host access permissions and the concept of privileged pages in browsers.

3. Implementation of sample extension In this section, we will understand the working of edge extensions and associated files.

4. Playing with Tabs API This section includes the demonstration of loading external websites, local files and privileged pages using the tabs API.

5. Forcing edge extensions to load local files and privileged pages Here we will see how I fooled edge extensions to allow me to load local files and privileged pages as well.

6. Overview of javascript protocol This section brief about the working and the use of JavaScript protocol.

7. Bypassing host access permission The continuing previous section, here we will discuss I was able to bypass host access permission of edge extensions using the javascript URI’s.

8. Stealing google mails Once we bypassed the host access permission, we will discuss how edge extension can read your Google emails without having permission.

9. Stealing local files The continuing previous section, here we will discuss how an edge extension can again escalate his privileges to read local system files.

10. Changing internal edge settings This section details how I was able to change into internal edge settings using edge extensions, this includes enabling/disabling flash, enabling/disabling developer features.

11. Force Update Compatibility list This section details how an extension can force update Microsoft compatibility list

12. javascript code execution on reading mode? Here we will dicuss about the working of reading mode and CSP issues associated with it.

13. Escalating CSP privileges. This section describes how edge extensions provides more privilages to the user when dealing with content security policy

Additional information

Type lecture
Language English

More sessions

12/27/19
Security
Borg
Nowadays, Windows is still the most popular OS used in the world. It's very important for red teams / attackers to maintain the authority after they get into the OS by penetration test. So they need a vulnerability to hide in windows to escalate their account to system privilege.
12/27/19
Security
Hannes Mehnert
Dijkstra
Is the way we run services these days sustainable? The trusted computing base -- the lines of code where, if a flaw is discovered, jeopardizes the security and integrity of the entire service -- is enormous. Using orchestration systems that contain millions of lines of code, and that execute shell code, does not decrease this. This talk will present an alternative, minimalist approach to secure network services - relying on OCaml, a programming language that guarantees memory safety - composing ...
12/27/19
Security
littlelailo
Eliza
This talk is about running unsigned code at boot on iOS 11. I will demonstrate how you can start out with a daemon config file and end up with kernel code execution.
12/27/19
Security
Will Scott
Ada
It is easier to chat online securely today than it ever has been. Widespread adoption of signal, wire, and the private mode of WhatsApp have led a broader recognition of the importance of end-to-end encryption. There's still plenty of work to be done in finding new designs that balance privacy and usability in online communication.
12/27/19
Security
nba::yoh
Dijkstra
The 3DS is reaching end of life but has not revealed all its weaknesses yet. This talk will go through the process of reverse engineering an undocumented communication protocol and show how assessing hard-to-reach features yields dangerous results, including remote code execution exploits!
12/27/19
Security
Samuel Groß
Ada
So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone this year. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. The insights gained from the exploitation process will hopefully help ...
12/27/19
Security
Ada
Herzstück der digitalen Gesundheitsversorgung für 73 Millionen Versicherte ist die hochsichere, kritische Telematik-Infrastruktur mit bereits 115.000 angeschlossenen Arztpraxen. Nur berechtigte Teilnehmer haben über dieses geschlossene Netz Zugang zu unseren medizinischen Daten. Ein "Höchstmaß an Schutz" also, wie es das Gesundheitsministerium behauptet? Bewaffnet mit 10.000 Seiten Spezifikation und einem Faxgerät lassen wir Illusionen platzen und stellen fest: Technik allein ist auch ...