A privilege escalation from Chrome extensions (2023)

https://0x44.xyz/blog/cve-2023-4369/

66•deryilz•8mo ago

Comments

Briannaj•8mo ago

This is worth more than 10k imo. But I guess since you have to have an extension installed maybe that's why?

curiousObject•8mo ago

Agree.

The only permission the extension needed was “downloads, which normally only allows an extension to download and search for user files, not read or write to them”

That’s not an unusual permission for an attractive but safe sounding extension, for example an extension to download all images from a page

$100k at least?

The value of this to bad guys could be up to millions

SchemaLoad•8mo ago

Well the author decided to sell the bug to Google rather than to criminals so I guess it was deemed a good value. By selling it to Google you get to write a nice blog post you can show to future employers and you don't have to involve yourself in crime. So the payout needed is a lot less than what hackers might be offering.

DaSHacka•8mo ago

I have to wonder how many people mix-and-match.

Like, does a 6th or 7th blog post really matter, versus getting a large payout?

No rule that says you can't do both, or only disclose+publish the more 'impressive' of your exploits.

tim1994•8mo ago

Interesting read for sure! This is about ChromeOS though, Chrome on other platforms was not affected.

rvz•8mo ago

> For example, Google awarded $10,000 to a bug report which showed that extensions could read local files by screenshotting them. But there are more dangerous things than file reads.

I think this researcher got scammed without knowing it.

Google paid $10k for this bug despite billions of users using Chrome and there are plenty of brokers that will pay much more than that. (e.g. Zerodium)

They should have sold it as a 0day on the black market for more that $250k.

deryilz•8mo ago

Keep in mind it's a ChromeOS only bug. They regularly get less money, because not that many people use ChromeOS.

postalrat•8mo ago

Don't a lot of schools use chromebooks?

deryilz•8mo ago

True, but I don't think K12 students are the main targets of these big gray-hat companies that buy bugs for a lot of money.

rxliuli•8mo ago

Your journey of discovery is really cool.

The Janitor on Mars

Bringing Polars to .NET

Adventures in Guix Packaging

Show HN: We had 20 Claude terminals open, so we built Orcha

Your Best Thinking Is Wasted on the Wrong Decisions

Warcraftcn/UI – UI component library inspired by classic Warcraft III aesthetics

Trump Vodka Becomes Available for Pre-Orders

Velocity of Money

Stop building automations. Start running your business

You can't QA your way to the frontier

Show HN: PalettePoint – AI color palette generator from text or images

Robust and Interactable World Models in Computer Vision [video]

Nestlé couldn't crack Japan's coffee market.Then they hired a child psychologist

Notes for February 2-7

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor