A cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code has been patched by the Chromium team.
Threat actors can exploit the vulnerability by sending an HTML file to the target that contains a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search query to Google, said Ashish Dhone, cybersecurity researcher at Persistent System who discovered the vulnerability.
If the target opens the file, the CSRF script starts operating and the query is stored in the browser’s search history. When the user opens an NTP for a second time and clicks on the Google search bar, the malicious code is triggered.
The situation worsens, if the user was logged into their Google account when opening the malicious file, the request will be saved to their account’s search history and triggered on any other device where their Google account is logged in.
“I wanted to find XSS in Chrome, hence my hunting started with the desktop application of Google Chrome. I was looking for HTML markup functionality where XSS can be executed. After spending hours, somehow, I found that in NTP, stored search queries are not sanitized and then I was able to execute [the uXSS],” Ashish stated.
UXSS attacks abuse client-side flaws in a browser or browser extensions in order to generate an XSS condition and execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” Dhone explained.
While the vulnerability is dangerous, other researchers have pointed out that it is not a uXSS. “This XSS is a classic DOM-based XSS, where user-controlled text is assigned as an HTML using innerHTML,” security researcher Jun Kokatsu explained.
Chrome’s NTP exposes Mojo.JS bindings that can send inter-process communication (IPC) messages to the browser through JavaScript code. The XSS bug could abuse this IPC channel to exploit a bug in the browser process, which executes at a much higher privilege than code running in web pages.
“Usually, getting control over sending arbitrary IPC requires native code execution in the renderer process such as memory corruption bugs in the JS engine,” Kokatsu said. “However, because the IPC channel was exposed to JS directly in NTP, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”