A privilege escalation from Chrome extensions (2023)

https://0x44.xyz/blog/cve-2023-4369/

66•deryilz•8mo ago

Comments

Briannaj•8mo ago

This is worth more than 10k imo. But I guess since you have to have an extension installed maybe that's why?

curiousObject•8mo ago

Agree.

The only permission the extension needed was “downloads, which normally only allows an extension to download and search for user files, not read or write to them”

That’s not an unusual permission for an attractive but safe sounding extension, for example an extension to download all images from a page

$100k at least?

The value of this to bad guys could be up to millions

SchemaLoad•8mo ago

Well the author decided to sell the bug to Google rather than to criminals so I guess it was deemed a good value. By selling it to Google you get to write a nice blog post you can show to future employers and you don't have to involve yourself in crime. So the payout needed is a lot less than what hackers might be offering.

DaSHacka•8mo ago

I have to wonder how many people mix-and-match.

Like, does a 6th or 7th blog post really matter, versus getting a large payout?

No rule that says you can't do both, or only disclose+publish the more 'impressive' of your exploits.

tim1994•8mo ago

Interesting read for sure! This is about ChromeOS though, Chrome on other platforms was not affected.

rvz•8mo ago

> For example, Google awarded $10,000 to a bug report which showed that extensions could read local files by screenshotting them. But there are more dangerous things than file reads.

I think this researcher got scammed without knowing it.

Google paid $10k for this bug despite billions of users using Chrome and there are plenty of brokers that will pay much more than that. (e.g. Zerodium)

They should have sold it as a 0day on the black market for more that $250k.

deryilz•8mo ago

Keep in mind it's a ChromeOS only bug. They regularly get less money, because not that many people use ChromeOS.

postalrat•8mo ago

Don't a lot of schools use chromebooks?

deryilz•8mo ago

True, but I don't think K12 students are the main targets of these big gray-hat companies that buy bugs for a lot of money.

rxliuli•8mo ago

Your journey of discovery is really cool.

You Are Here

Why social apps need to become proactive, not reactive

How patient are AI scrapers, anyway? – Random Thoughts

Vouch: A contributor trust management system

I built a terminal monitoring app and custom firmware for a clock with Claude

Tiny C Compiler

Y Combinator Founder Organizes 'March for Billionaires'

Ask HN: Need feedback on the idea I'm working on

OpenClaw Addresses Security Risks

Apple finalizes Gemini / Siri deal

Italy Railways Sabotaged

Emacs-tramp-RPC: high-performance TRAMP back end using MsgPack-RPC

Nintendo Wii Themed Portfolio

"There must be something like the opposite of suicide "

Ask HN: Why doesn't Netflix add a “Theater Mode” that recreates the worst parts?

Show HN: Engineering Perception with Combinatorial Memetics

Show HN: Steam Daily – A Wordle-like daily puzzle game for Steam fans

The Anthropic Hive Mind

Just Started Using AmpCode

LLM as an Engineer vs. a Founder?

Crosstalk inside cells helps pathogens evade drugs, study finds

Show HN: Design system generator (mood to CSS in <1 second)

Show HN: 26/02/26 – 5 songs in a day

Toroidal Logit Bias – Reduce LLM hallucinations 40% with no fine-tuning

Top AI models fail at >96% of tasks

The Science of the Perfect Second (2023)

Bob Beck (OpenBSD) on why vi should stay vi (2006)

Show HN: a glimpse into the future of eye tracking for multi-agent use

The Optima-l Situation: A deep dive into the classic humanist sans-serif

Barn Owls Know When to Wait