Hacker News new | ask | show | jobs
by londons_explore 184 days ago
For example, the following hidden anywhere in the codebase allows arbitrary code execution even under the most stringent JavaScript security policy (no eval etc):

I=c=>c.map?c[0]?c.reduce((a,b)=>a[b=I(b)]||a(b),self):c[1]:c

(How it works is an exercise to the reader)

The actual code to run can be delivered as an innocuous looking JavaScript array from some server, and potentially only delivered to one high value target.
3 comments
ikekkdcjkfke 184 days ago
And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark
link
londons_explore 183 days ago
That's what's great about this - it is an interpreter which allows the attacker to do absolutely anything, but no non-declared code is directly run.
link
johnebgd 184 days ago
Users have largely been trained to click okay when asked to give permission without thinking.
link
arein3 184 days ago
Let me ask gemini

Wow, it deconstructed it beautifully

A Concrete Example Imagine you pass this array to the function: ['alert', 'Hello World'] Here is the step-by-step execution:

  Initialization: The accumulator a starts as self (the window object).
  Iteration 1 (b = "alert"):
  I("alert") returns string "alert".
  It tries a["alert"] (which is window["alert"]).
  This finds the alert function.

  New Accumulator a: The alert function.
  Iteration 2 (b = "Hello World"):
  I("Hello World") returns string "Hello World".
  It tries a["Hello World"]. The alert function does not have a property named "Hello World", so this is undefined.
  The || operator moves to the right side: a(b).
  It executes alert("Hello World").
  Result: A browser popup appears.
link
cj 184 days ago
Isn’t minified code banned from chrome extensions?
link
electroly 184 days ago
Google allows minified extensions and doesn't require you to provide the original unminified source. I've never provided Google the real source code to my extension and they rubber-stamp every release. The Chrome Web Store is the wild west--you're on your own.

Mozilla allows minification but you're required to provide the original buildable source. Mozilla actually looks at the code and they reject updates all the time.

link
cj 184 days ago
Obfuscation is banned. Minification is not.

https://blog.chromium.org/2018/10/trustworthy-chrome-extensi...

link