Chrowned by an Extension: Abusing the Chrome DevTools Protocol through the Debugger API

TL;DR

This paper uncovers security vulnerabilities in Chromium's Debugger API, demonstrating six attacks that compromise user privacy, security, and browser integrity, and discusses design flaws enabling these exploits.

Contribution

It identifies and demonstrates critical security vulnerabilities in the Debugger API of Chromium-based browsers, highlighting design flaws and proposing mitigations.

Findings

Six practical attacks demonstrated on Chromium browsers

Vulnerabilities enable privilege escalation and data theft

Some vulnerabilities have been fixed by Chromium team

Abstract

The Chromium open-source project has become a fundamental piece of the Web as we know it today, with multiple vendors offering browsers based on its codebase. One of its most popular features is the possibility of altering or enhancing the browser functionality through third-party programs known as browser extensions. Extensions have access to a wide range of capabilities through the use of APIs exposed by Chromium. The Debugger API -- arguably the most powerful of such APIs -- allows extensions to use the Chrome DevTools Protocol (CDP), a capability-rich tool for debugging and instrumenting the browser. In this paper, we describe several vulnerabilities present in the Debugger API and in the granting of capabilities to extensions that can be used by an attacker to take control of the browser, escalate privileges, and break context isolation. We demonstrate their impact by introducing six attacks that allow an attacker to steal user information, monitor network traffic, modify site permissions (\eg access to camera or microphone), bypass security interstitials without user intervention, and change the browser settings. Our attacks work in all major Chromium-based browsers as they are rooted at the core of the Chromium project. We reported our findings to the Chromium Development Team, who already fixed some of them and are currently working on fixing the remaining ones. We conclude by discussing how questionable design decisions, lack of public specifications, and an overpowered Debugger API have contributed to enabling these attacks, and propose mitigations.