The Read & Write Chrome extension knew everything about you

Well, maybe not literally everything, but it certainly could read ALL e-mails from Gmail, Outlook, WP, Interia, Onet and infinitely many other e-mail accounts running in the browser. In the proof of the concept presented, no vulnerability was exploited in Gmail, or a 0-day vulnerability in the browser. The XSS attack on the Read & Write API, installed almost 8 million times, gave the opportunity to display all the messages that were in the mailbox prepared by the attacker. How?

The extension used the inject.js file to inject the toolbar to any URL. Whether the pages were loaded over HTTP or HTTPS was of no importance because the supported "safe" injection of code into the cards running in the browser was handled locally, bypassing the SOP of the browser. Such an "attack" was the most possible implementation by the creators of the extension. And this is evidenced by the manifest file showing the injection of the inject.js file on encrypted and unencrypted pages:

... trimmed for brevity ...
  "content_scripts": [
      "matches": ["https: // * / *", "http: // * / *"],
      "js": ["inject.js"],
      "run_at": "document_idle",
      "all_frames": true
... trimmed for brevity ... 

The extension sent the code from inject.js to the page with any URL, and the request was made using the victim's cookies, which means that the cargo could steal the contents of any web page the user was logged in to, as in the following video:

The generated exploit could be located by the attacker at any URL address and read the content of another website. The author of the vulnerability also draws attention to the possibility of opening an infinite number of cards (which would surely saturate all available RAM). The presented PoC did one thing, but the attack on the vulnerability in the extension can be used not only to steal the contents of the mailbox, but also to steal logins and passwords after prior injection of another JavaScript code, acting as a proxy server.

Read & Write extension with a serious security hole

The vulnerability in the Read & Write extension was reported on June 3 and patched a day later. If you use this add-on, like 8 million other users, make sure you have an updated version of

In a similar way it was possible to completely take over the ZenMate VPN service . Three and a half million users may have lost access to the account due to a security error allowing the disclosure of the authentication ID and secret token.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.