Follow

Oh god...

All Chrome extensions can execute remote code in their own context:
bugs.chromium.org/p/chromium/i

Included in the bug report is a proof-of-concept web extension by gorhill, author of uBlock Origin.

> Such ability to execute remote code from extension's own context is how Hover Zoom and SpeakIt! were found to track and data mine users, see:

arstechnica.com/information-te

Great... looks like the Chrome team is denying public access to this... and it wasn't captured beforehand in the wayback machine..

@andreas The issue author verified that Firefox is not affected by the vulnerability. One more reason to switch.

Sign in to participate in the conversation
nitro-fucking-horse

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!