Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It wasn't a particularly likely exploitation route... The user had to already be double-clicking files they'd downloaded from a malicious webpage. At that point, it might as well have been an .exe file.

And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.



> And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.

Doesn't that contradict the following?

> “However, because the IPC channel was exposed to JS directly in New Tab page, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”


Yes, but that IPC channel to the browser can only do anything useful if you find another exploit in the browser.

And the New Tab Page doesn't even have permissions to do much via that IPC channel, because its origin isn't equal to anything interesting.


The xss is stored via csrf. So an exploitation scenario would be that you visit a malicious page and then click in the search box on a new tab.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: