Skip to content

[Security] Prevent extensions from injecting content scripts on account.brave.com #42998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fmarier opened this issue Dec 19, 2024 · 4 comments · Fixed by brave/brave-core#27481
Closed

[Security] Prevent extensions from injecting content scripts on account.brave.com #42998

fmarier opened this issue Dec 19, 2024 · 4 comments · Fixed by brave/brave-core#27481
Assignees
@bsclifton
Labels
OS/Desktop premium All issues related to Brave Premium priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.77.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Dec 19, 2024
edited by bsclifton
Loading

Test plan

See brave/brave-core#27481

Description

Originally reported at https://hackerone.com/reports/2906693
@fmarier fmarier added the priority/P3 The next thing for us to work on. It'll ride the trains. label Dec 19, 2024
@github-project-automation github-project-automation bot moved this to Untriaged Backlog in Security & Privacy Dec 19, 2024
@diracdeltas
Copy link
Member

diracdeltas commented Dec 19, 2024
edited
Loading

ref: brave/brave-core#2946
we want to apply the content script block to all domains where the SKUs API is injected (https://github.com/brave/brave-core/blob/e26734efeb0a24b767e32741517b1f45ca4a38a9/components/skus/renderer/skus_utils.cc#L17 i think?)

bsclifton added a commit to brave/brave-core that referenced this issue Feb 4, 2025
@bsclifton
Prevents extensions from accessing protected resources.
8252abd 
Fixes brave/brave-browser#42998
@bsclifton bsclifton mentioned this issue Feb 4, 2025
Merged
24 tasks
bsclifton added a commit to brave/brave-core that referenced this issue Feb 4, 2025
@bsclifton
Prevents extensions from accessing protected resources.
00f6bc4 
Fixes brave/brave-browser#42998
bsclifton added a commit to brave/brave-core that referenced this issue Feb 8, 2025
@bsclifton
Prevents extensions from accessing protected resources.
b0515c2 
Fixes brave/brave-browser#42998
bsclifton added a commit to brave/brave-core that referenced this issue Feb 11, 2025
@bsclifton
Prevents extensions from accessing protected resources.
ac40d58 
Fixes brave/brave-browser#42998
@bsclifton bsclifton mentioned this issue Feb 12, 2025
Open
@github-project-automation github-project-automation bot moved this from Untriaged Backlog to Completed in Security & Privacy Feb 12, 2025
@github-project-automation github-project-automation bot moved this from Untriaged Backlog to Completed in Security & Privacy Feb 12, 2025
@brave-builds brave-builds added this to the 1.77.x - Nightly milestone Feb 12, 2025
@mattmcalister mattmcalister added the premium All issues related to Brave Premium label Feb 17, 2025
@LaurenWags LaurenWags changed the title Prevent extensions from injecting content scripts on account.brave.com [Security] Prevent extensions from injecting content scripts on account.brave.com Mar 7, 2025
@LaurenWags LaurenWags added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 18, 2025
@LaurenWags
Copy link
Member

LaurenWags commented Mar 18, 2025
edited
Loading

Verified with

Brave | 1.77.83 Chromium: 134.0.6998.95 (Official Build) beta (x86_64)
-- | --
Revision | ebd160121bb160e51ae95b772e39e9c5a1dd4fda
OS | macOS Version 14.7.4 (Build 23H420)

Reproduced the issue using 1.76.74 Chromium: 134.0.6998.89 and test plan from PR:

Image

Verified test plan from brave/brave-core#27481 (comment)

Case 1 - Existing VPN subscription/production - PASSED
  1. Fresh profile 1.77.x
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept
  6. Clicked on VPN icon in toolbar and selected the "Already purchased Brave VPN?" link
  7. Logged into account.brave.com (production) with an account that has VPN
  8. Confirmed my credentials were loaded
Image
  1. Enabled Brave VPN
  2. On the account details page (with VPN loaded and working), opened the developer tools
  3. Confirmed I do not see summary captured by extension: and information printed in the console
Image
Case 2 - New VPN subscription/staging - PASSED
  1. Fresh profile 1.77.x
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept (modified for staging)
  6. Navigated to account.bravesoftware.com and purchased a new VPN subscription
  7. Confirmed my credentials were loaded
Image
  1. Enabled Brave VPN
  2. On the account details page (with VPN loaded and working), opened the developer tools
  3. Confirmed I do not see summary captured by extension: and information printed in the console
Image

@LaurenWags LaurenWags added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Mar 18, 2025
@MadhaviSeelam
Copy link

MadhaviSeelam commented Mar 18, 2025
edited
Loading

Verification In progress using

Brave | 1.77.83 Chromium: 134.0.6998.95 (Official Build) beta (64-bit)
-- | --
Revision | ebd160121bb160e51ae95b772e39e9c5a1dd4fda
OS | Windows 11 Version 24H2 (Build 26100.3194)

Reproduced the issue in 1.76.74 Chromium: 134.0.6998.89 (Official Build) (64-bit) using test plan from PR:

Image

Case 1 - Existing VPN subscription/production - PASSED
  1. Fresh profile 1.77.83
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept
  6. Clicked on VPN icon in toolbar and selected the "Already purchased Brave VPN?" link
  7. Logged into account.brave.com (production) with an account that has VPN
  8. Confirmed my credentials were loaded
  9. Enabled Brave VPN
  10. On the account details page (with VPN loaded and working), opened the developer tools
  11. Confirmed I do not see summary captured by extension: and information printed in the console
example example example
Image Image Image
Case 2 - New VPN subscription/staging - PASSED
  1. Fresh profile 1.77.x
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept (modified for staging)
  6. Navigated to account.bravesoftware.com and purchased a new VPN subscription
  7. Confirmed my credentials were loaded
  8. Enabled Brave VPN
  9. On the account details page (with VPN loaded and working), opened the developer tools
  10. Confirmed I do not see summary captured by extension: and information printed in the console
example example
Image Image

@LaurenWags LaurenWags added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 20, 2025
@LaurenWags
Copy link
Member

LaurenWags commented Mar 20, 2025
edited
Loading

Verified with

Brave | 1.77.85 Chromium: 134.0.6998.118 (Official Build) beta (64-bit)
-- | --
Revision | 979ebc717a0bade18469ac1215f0cc57d27a7912
OS | Linux

Verified test plan from brave/brave-core#27481 (comment)

Case 1 - Existing Talk subscription/production - PASSED
  1. Fresh profile 1.77.x
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept
  6. Logged into account.brave.com (production) with an account that has Talk subscription
  7. Confirmed my credentials were loaded
  8. Started a premium Talk call
Image
  1. On the account details page (with Talk loaded and working), opened the developer tools
  2. Confirmed I do not see summary captured by extension: and information printed in the console
Image
Case 2 - New Talk subscription/staging - PASSED
  1. Fresh profile 1.77.x
  2. Installed Tampermonkey extension from Chrome Web Store
  3. Visited brave://extensions/ and enabled Developer mode in the top right.
  4. Closed browser and relaunched as directed
  5. Navigated to the extension dashboard, created a new script, and pasted the example from the HackerOne proof of concept (modified for staging)
  6. Navigated to account.bravesoftware.com and purchased a new Talk subscription
  7. Confirmed my credentials were loaded
  8. Started a premium Talk call
Image
  1. On the account details page (with Talk loaded and working), opened the developer tools
  2. Confirmed I do not see summary captured by extension: and information printed in the console
Image

@LaurenWags LaurenWags added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Mar 21, 2025
@LaurenWags LaurenWags mentioned this issue Apr 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsclifton bsclifton

Labels
OS/Desktop premium All issues related to Brave Premium priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
Security & Privacy
Status: Completed
Milestone
1.77.x - Release
Development

Successfully merging a pull request may close this issue.

Prevents extensions from accessing protected resources brave/brave-core
7 participants
@mattmcalister @fmarier @diracdeltas @bsclifton @LaurenWags @brave-builds @MadhaviSeelam