Oh god...

All Chrome extensions can execute remote code in their own context:

Included in the bug report is a proof-of-concept web extension by gorhill, author of uBlock Origin.

> Such ability to execute remote code from extension's own context is how Hover Zoom and SpeakIt! were found to track and data mine users, see:

Great... looks like the Chrome team is denying public access to this... and it wasn't captured beforehand in the wayback machine..

@andreas The issue author verified that Firefox is not affected by the vulnerability. One more reason to switch.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!