A privilege escalation from Chrome extensions (2023)

https://0x44.xyz/blog/cve-2023-4369/

65•deryilz•1d ago

Comments

Briannaj•1d ago

This is worth more than 10k imo. But I guess since you have to have an extension installed maybe that's why?

curiousObject•1d ago

Agree.

The only permission the extension needed was “downloads, which normally only allows an extension to download and search for user files, not read or write to them”

That’s not an unusual permission for an attractive but safe sounding extension, for example an extension to download all images from a page

$100k at least?

The value of this to bad guys could be up to millions

SchemaLoad•1d ago

Well the author decided to sell the bug to Google rather than to criminals so I guess it was deemed a good value. By selling it to Google you get to write a nice blog post you can show to future employers and you don't have to involve yourself in crime. So the payout needed is a lot less than what hackers might be offering.

DaSHacka•1d ago

I have to wonder how many people mix-and-match.

Like, does a 6th or 7th blog post really matter, versus getting a large payout?

No rule that says you can't do both, or only disclose+publish the more 'impressive' of your exploits.

tim1994•1d ago

Interesting read for sure! This is about ChromeOS though, Chrome on other platforms was not affected.

rvz•20h ago

> For example, Google awarded $10,000 to a bug report which showed that extensions could read local files by screenshotting them. But there are more dangerous things than file reads.

I think this researcher got scammed without knowing it.

Google paid $10k for this bug despite billions of users using Chrome and there are plenty of brokers that will pay much more than that. (e.g. Zerodium)

They should have sold it as a 0day on the black market for more that $250k.

deryilz•20h ago

Keep in mind it's a ChromeOS only bug. They regularly get less money, because not that many people use ChromeOS.

postalrat•16h ago

Don't a lot of schools use chromebooks?

deryilz•16h ago

True, but I don't think K12 students are the main targets of these big gray-hat companies that buy bugs for a lot of money.

rxliuli•19h ago

Your journey of discovery is really cool.

Agents Aren't Juniors, They Are Amnesiac Spies

Agentic book – The Human Algorithm [pdf]

Philips Ease

Haskell Weekly Issue 474

Intel Shows Off Professional Battlemage Cards

Ivey Business School's Value Investing Program – Adam Waterous [video]

Top math software platform still offline following ransomware attack

Show HN: OpenDeRisk – open-source intelligent app risk manager

China extends its reach into the Solar System with launch of asteroid mission

Elon Musk exits US Government after breaking with Trump on tax bill

Redesigning the Initial Rust Bootstrap Sequence

NI3

Rethinking African edtech: Why AI alone won't be enough

Show HN: Flags Quiz – Flags of All World Countries

Saying Bye to Glitch

We built a distributed cache for S3

Read Frog – Open-Source AI Language Translator and Teacher in Browser

The weight of an entire industry trying to convince you that you're inadequate

Show HN: Warden – A Native (and Free) AI Chat App for macOS

What's cooking on Sourcehut? Q2 2025

STOC Best Paper Award: How to Find the Shortest Path – Faster

Cyber Resilience Act and Open Source: What Maintainers Need to Know [video]

Glacier collapse buries most of Swiss village

Show HN: Entropy – Sharing screen is scary in SaaS age

Emergency We Cannot Feel: On the Psychological Unreadiness for American Collapse

Statically typed languages are like Elephants

Raw.githubusercontent.com – How to authenticate and see headers with info?

No iOS 19: Apple Going Straight to iOS 26

Show HN: I made an AI prompt manager to stop rewriting the same prompts

Front End Engineering Team Working Style Guide