
XSS in Gmail through Rapportive  - xSwag
http://blog.kotowicz.net/2013/12/rapportive-xsses-gmail-or-have-yourself.html
======
borski
This type of thing is all too common. We wrote about a worse case last year
where an extension XSS'd quite literally the entire internet:
[https://www.tinfoilsecurity.com/blog/building-a-browser-
exte...](https://www.tinfoilsecurity.com/blog/building-a-browser-extension-be-
careful-not-t-17787)

The scariest thing here is that you have arbitrary code execution, so your
options are limitless. Check out XSS Harvest:
[https://github.com/Miserlou/XSS-Harvest](https://github.com/Miserlou/XSS-
Harvest)

------
RyanZAG
Yeah so I'm uninstalling every plugin/extension I have that I don't absolutely
trust. I'd recommend you do the same.

~~~
arkitaip
It's not a question of trust but competence, and that's practically impossible
to evaluate as an end user.

------
troels
Wow, that's scary stuff.

I guess the lesson here is to only use extensions from vendors where you have
absolute confidence in their capabilities or from popular open source projects
(Basically the same thing).

~~~
Morgawr
Honestly, I'd rather just not use extensions at all. They've proven insecure
in the past and will probably be insecure in the future. Even if they come
from a trusted vendor, that won't mean that it won't be compromised.

Are all these extensions that "prettify" our browsing experience all this
necessary? Some, maybe (HTTPS everywhere, Ghostery, NoScript, etc etc), but
most of them aren't. I personally prefer to keep my browser clean, it's even
more responsive this way.

~~~
notatoad
What i'd like to see, and as far as i know it doesn't exist in any browser, is
a way to prevent any extensions from running on certain sites. I want some
things like adblock installed for general browsing, but there's no reason i
need it running on my email, my banking, my employer's control panel. I can
white-list sites inside of extensions, but that still leaves me trusting the
extension to properly implement their white-listing feature. I'd much rather
have chrome managing a list of sites where the extension doesn't get to run at
all.

~~~
iurisilvio
You always can use the incognito window to do that, but I agree it is really
annoying.

------
ufmace
Interesting. Looks like the most potentially dangerous extensions are the ones
pulling stuff from other websites to inject into the current site, and ones
doing text processing/conversion on document contents. I don't have any
extensions that do that, so hopefully I'm safe...

------
driverdan
Security problems like this are so common in 3rd party extensions / plugins /
add-ons. While the most widely used open source ones tend to have less bugs
many of the less popular ones are full of problems. Take a look at WordPress
plugins to see what I mean.

------
iggyhop
rapportive is a quite versatile tool... [http://jordan-
wright.github.io/blog/2013/10/14/automated-soc...](http://jordan-
wright.github.io/blog/2013/10/14/automated-social-engineering-recon-using-
rapportive/)

------
yeukhon
See this talk:
[https://www.usenix.org/conference/usenixsecurity12/evaluatio...](https://www.usenix.org/conference/usenixsecurity12/evaluation-
google-chrome-extension-security-architecture)

------
skillcode
great find :)

