We didn't verify this, but we believe your Step 3 isn't quiteĪccurate. Those changes and should be rolling them out later this year. In content scripts won't be possible, and translators will run inĪ sandbox without access to the DOM. In any case, Manifest V3 will render this moot, as eval'ing code Respect Google's defense-in-depth approach to webpage access. I don't know how secure it really is fromĪrbitrary filesystem access, but there's at least an argument toīe made that, as a Chrome extension, the Zotero Connector should We recognize that Google takes a bit of a different posture here,Įncrypting the Chrome cookie database and relying solely on system Multiple ways for a local app to get your website data more Point worrying about a rogue localhost server if there are already To set a proxy in prefs.js and install a custom CA. You access to the Firefox cookie database as well as the ability Position, and as far as I'm aware, filesystem access still gets Our position on local threats has been Mozilla's historical Important question here is regular local apps.) Month after a year's delay, and were rarely used before then. Local TCP server by default while preventing filesystem access,Īnd in any case Chrome Apps are discontinued for most people this Pretty idiosyncratic permissions model to allow creation of a (I think the Chrome App thing is mostly a distraction. Zotero Connector installed and try to serve bad Zotero Your files and hold them for ransom rather than hope you have the If anĪpp can bind to a local port, there's a good chance it also hasįilesystem access, in which case it would do well to encrypt all Trying to protect against a rogue local app, which can likely doĪll manner of things by virtue of running on your machine. Longstanding view has been that there's very little point in We're aware of this behavior, which has been in place for aĭecade, and we don't consider it a meaningful vulnerability. Thanks very much for the detailed report and PoC. Hence elevating privileges and can be a useful stuff in other type of attacks as Really take over Zotero from other extensions/apps in other contexts as well, This translator code can be a security hazard, and can Also, update the hashes from time to time toĪllow users to update translators code and add more of it over again. That? Then, when downloading new JS files – validate its hash is one of these It has a valid translator hash – using previously given set of valid hashesĭownloaded from trustworthy source, such as Zotero github or something like Users – then adding validation when downloading any JS file – and also verify The easiest way would be to disable download of translatorsĬode over Zotero localhost RPC, and user only verified Zotero HTTPS servers forĭownloading new JS files and executables.īut if one wants to add some more features/extensibility for Server (stage 3) – gets all cookies / running js in google context. Will get victim’s data – this can be any site controlled by attacker and not just – click over the downloaded “Mappy” directory.Ĭhrome-app – have no permissions to any site!!! This PoC shows an exploit where one low-privilege chrome-appĮxploits Zotero to gain more privileges. Localhost at TCP port 23119 all of the translators JS files. This can be also exploited from low-priv app running onĪctually the call for getTranslatorsCode, which always tryįirst to reach the local Zotero Server running on PC – will download from Hence, attacker can exploit this, using a limited permissionsĬhrome-app to exploit and run JS code inside Zotero content-scripts with all of When Zotero update and get new translators code – it doesn’t Hi, I have tried my best to give the best explanation of this bug to make sure our beloved Zotero (for real :)) stays safe as it can be! Hope to work with you on a quick fix for that soon enough! Thanks a lot!
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |