1 00:00:00,000 --> 00:00:00,500 *36C3 preroll music* 2 00:00:00,500 --> 00:00:23,200 Herald: The next speaker works as a security consultant at Payatu software 3 00:00:23,200 --> 00:00:28,180 labs, and he loves finding security flaws in the Microsoft Edge browser. And 4 00:00:28,180 --> 00:00:33,400 incidentally, this is the topic for this next talk. So please give a big round of 5 00:00:33,400 --> 00:00:35,109 applause to Nikhil Mittal. 6 00:00:35,109 --> 00:00:35,155 *applause* 7 00:00:35,155 --> 00:00:49,870 Nikhil Mittal: So, welcome to the talk: Breaking Microsoft Edge Extensions 8 00:00:49,870 --> 00:00:55,900 Security Policies. My name is Nikhil, I work at Payatu Labs. And I am into web 9 00:00:55,900 --> 00:01:01,060 browser vulnerability research. So to start with this presentation, I would like 10 00:01:01,060 --> 00:01:06,850 to know how many of you uses browser extensions in general, like... Oh, nice. 11 00:01:06,850 --> 00:01:13,660 So many of us. OK. So a browser extension is something that extends the 12 00:01:13,660 --> 00:01:18,820 functionality of your web browsers. We have a typical examples like Adblock Plus, 13 00:01:18,820 --> 00:01:25,660 which I think most of the people uses to block the ads on some certain sites like 14 00:01:25,660 --> 00:01:32,470 YouTube. And Grammarly and some sort of password managers as well. So these 15 00:01:32,470 --> 00:01:37,930 extensions are capable of managing most of your data because they can handle the 16 00:01:37,930 --> 00:01:44,200 cookies, bookmarks, storage, passwords, history and what not. So that being said, 17 00:01:44,200 --> 00:01:49,870 we all have to agree on a point that these extensions are powerful, because they can 18 00:01:49,870 --> 00:01:54,730 deal with your cookies, bookmarks and other sensitive information in the 19 00:01:54,730 --> 00:02:03,760 browsers. So here is how simple AdBlock Plus extension looks like on Microsoft 20 00:02:03,760 --> 00:02:10,600 Edge, which is pretty much doing its job. Now. Have you ever tried to figure out 21 00:02:10,600 --> 00:02:17,830 what this extension is capable of doing in your browser? So if you look at the 22 00:02:17,830 --> 00:02:23,440 settings. Here we have a couple of permissions, which I've listed down on the 23 00:02:23,440 --> 00:02:29,950 next slide. So it's simple Adblock Plus extension, can read and change content on 24 00:02:29,950 --> 00:02:34,630 websites that you visit. It can read and change your favorites. It can see the 25 00:02:34,630 --> 00:02:39,340 websites you visit. It can read and change anything you send or receive. And it can 26 00:02:39,340 --> 00:02:44,440 also store personal browsing data on your browser and it can also display 27 00:02:44,440 --> 00:02:50,560 notifications as well. So there are so many things a simple Adblock Plus 28 00:02:50,560 --> 00:02:57,940 extension can able to do in your browser. So you might ask like how browsers 29 00:02:57,940 --> 00:03:03,550 recognize these permissions, like a extension is able to do so many things in 30 00:03:03,550 --> 00:03:07,990 my browser. But how does browser recognize like where are these permissions coming 31 00:03:07,990 --> 00:03:16,720 from? So here is a permission modeling browser extensions. So under the source of 32 00:03:16,720 --> 00:03:23,140 every extensions, we have a file called as manifest.json and inside of manifest.json 33 00:03:23,140 --> 00:03:30,220 file we have a permission area. So, here's a quick example of a permission area, 34 00:03:30,220 --> 00:03:37,030 where we have some permissions. So the first one is a https://www.google.com, 35 00:03:37,030 --> 00:03:42,190 which we'll see right after this slide. The next permission we have is bookmarks 36 00:03:42,190 --> 00:03:49,810 and cookies, history, storage and tabs. So let's suppose an extension has a 37 00:03:49,810 --> 00:03:54,490 permissions with the bookmarks and cookies. So that means that extension can 38 00:03:54,490 --> 00:03:59,500 handle your bookmarks. It can manipulate them. It can edit them. It can remove them 39 00:03:59,500 --> 00:04:03,940 and what not. So the same goes with the cookies, history as well. And there are 40 00:04:03,940 --> 00:04:12,910 other important permissions as well available for the browsers. So apart from 41 00:04:12,910 --> 00:04:19,480 these permissions, the most interesting permission that I was looking for is the 42 00:04:19,480 --> 00:04:23,260 host access permissions. So the host access permission is something that 43 00:04:23,260 --> 00:04:28,450 defines on which certain domains your browser extensions should able to run. So 44 00:04:28,450 --> 00:04:32,743 in this case, let's suppose we have assigned a permissions to a 45 00:04:32,743 --> 00:04:39,940 https://www.google.com. So that means this extension should able to run on Google.com 46 00:04:39,940 --> 00:04:45,460 only, not even the subdomain that is developer.google.com or mail.google.com. 47 00:04:45,460 --> 00:04:51,490 So this you can also verify with the tiny box that says this is allowed to read and 48 00:04:51,490 --> 00:04:58,240 change content on some sites www.google.com. Now the second permission 49 00:04:58,240 --> 00:05:05,170 we could have in this here is https://*.google.com. So basically this 50 00:05:05,170 --> 00:05:11,500 also covers the subdomains as well. And the third possible permission we can have 51 00:05:11,500 --> 00:05:19,510 is *://*.google.com. So basically this is now not only I'll work on google.com, but 52 00:05:19,510 --> 00:05:26,230 basically on all the protocols as well, which is HTTP, HTTPS, might be FTP. That 53 00:05:26,230 --> 00:05:32,380 belongs to the particular domain. So apart from these three permissions, we have the 54 00:05:32,380 --> 00:05:37,900 another permission in the roll, which is . This permission is so special 55 00:05:37,900 --> 00:05:44,800 because once a browser extension is assigned to all_urls permissions that can 56 00:05:44,800 --> 00:05:50,110 execute Javascript code on every domain that you visit. So let's suppose you are 57 00:05:50,110 --> 00:05:55,450 on google.com or maybe you're on bing.com or anything else it will work on most 58 00:05:55,450 --> 00:06:03,850 probably on every domain. But there are few restrictions with the all_urls 59 00:06:04,360 --> 00:06:10,330 permissions. That is, it cannot run on privileged pages. So if privileged pages 60 00:06:10,330 --> 00:06:16,270 in browser is something that contains some sort of sensitive settings on your browser 61 00:06:16,270 --> 00:06:22,450 data, so you might heard of chrome://settings, which contains the 62 00:06:22,450 --> 00:06:28,150 password manager for Chrome. And also you can identify the credit card and debit 63 00:06:28,150 --> 00:06:34,420 card information on chrome://settings as well. So you can imagine a situation once 64 00:06:34,420 --> 00:06:39,490 the extension is able to run a Javascript code on Chrome setting page then it can 65 00:06:39,490 --> 00:06:44,350 probably read, or it can steal all of your passwords and credit and debit card 66 00:06:44,350 --> 00:06:49,630 information as well. So on the Edge, we have a similar page, which is about:flags. 67 00:06:50,230 --> 00:06:59,240 So here you can see one extension with permission is assigned. It can 68 00:06:59,240 --> 00:07:06,110 read and change content on websites you visit. As for the Edge. So here's a quick 69 00:07:06,110 --> 00:07:11,750 snap of about:flags in Edge. And so if you look at the first part, you will figure 70 00:07:11,750 --> 00:07:17,120 out there are a few embedded permissions. Like you can enable Adobe Flash Player. 71 00:07:17,120 --> 00:07:23,570 You can also enable developer features. And also you can enable and disable allow 72 00:07:23,570 --> 00:07:28,730 an unrestricted memory consumption for the Web pages as well. And it also has some 73 00:07:28,730 --> 00:07:33,500 standard previews features, like you can enable / disable some experimental 74 00:07:33,500 --> 00:07:37,700 Javascript features as well. So now you can imagine what the sensitivity of this 75 00:07:37,700 --> 00:07:45,560 page contains, okay? So let's quickly build an extension. So that will break 76 00:07:45,560 --> 00:07:51,290 most of the things in Edge. So as I said, every extension has a manifest.json file 77 00:07:51,290 --> 00:07:58,430 which has all the permission and other configurations. The second file that we 78 00:07:58,430 --> 00:08:03,980 will be needing is popup.html. So popup.html is nothing, but it's just 79 00:08:03,980 --> 00:08:08,330 interface for the browser extension. So basically you might have noticed as soon 80 00:08:08,330 --> 00:08:13,490 as you click on any of the browser extension, a pop up appears on your window 81 00:08:13,490 --> 00:08:18,920 for that contain some sort of functions. That is nothing but just a popup.html 82 00:08:18,920 --> 00:08:25,130 file. And then again we have a popup.js which has all the Javascript code that 83 00:08:25,130 --> 00:08:32,390 executes according to the actions chosen by the popup.html. So this is how our 84 00:08:32,390 --> 00:08:38,870 extension should have looked. And on the edge. So we have seen a tiny Microsoft 85 00:08:38,870 --> 00:08:44,630 logo and as soon as you click on it, a popup will appear. It says, I am the evil 86 00:08:44,630 --> 00:08:49,910 extension and I have two options. The first one is open. The second one is 87 00:08:49,910 --> 00:08:54,920 execute. So as soon as you click on the open button, what it does is it will load 88 00:08:54,920 --> 00:08:59,720 google.com on the browser. And as soon as you click on the execute button, it will 89 00:08:59,720 --> 00:09:05,300 just alert(1) for you. So basically. So basically the interface is written in 90 00:09:05,900 --> 00:09:11,300 popup.html. And again, as soon as you click on execute, so the work is done by 91 00:09:11,300 --> 00:09:17,390 popup.js. So let's quickly look at the source code for the manifest.json file. 92 00:09:17,390 --> 00:09:23,600 The thing to notice here is that you can figure out the permission area on line 93 00:09:23,600 --> 00:09:30,650 number 10, which is set to http://www.google.com. That means it's 94 00:09:30,650 --> 00:09:35,870 clear that this extension should be able to run on google.com only. I mean not on 95 00:09:35,870 --> 00:09:43,580 the subdomains even. So here's the source code for the popup.html, which is just a 96 00:09:43,580 --> 00:09:47,780 simple HTML file that has two buttons. The first one is open, the second one is 97 00:09:47,780 --> 00:09:56,150 execute. And it has a popup.js at the end. So here we have the popup.js. So in very 98 00:09:56,150 --> 00:10:01,310 brief manner. What it does is as soon as you click on the open button, it loads 99 00:10:01,310 --> 00:10:06,230 google.com. And as soon as you click on the execute button, it calls the 100 00:10:06,230 --> 00:10:15,980 JavaScript. It alerts document.domain for you. So there are so many APIs available 101 00:10:15,980 --> 00:10:20,960 for the browser extensions that you can use like history API and some sort of 102 00:10:20,960 --> 00:10:28,460 proxys API, tabs API. But for me this tabs API was so interesting because it allows 103 00:10:28,460 --> 00:10:36,440 you to play with different tabs like it has some function, methods inside, like 104 00:10:37,370 --> 00:10:42,170 tabs.create. So what it does is it allows you to create a new tab with any arbitrary 105 00:10:42,170 --> 00:10:48,770 domain and it also has tabs.update. And what it does is it allows you to update 106 00:10:48,770 --> 00:10:53,705 the page with the next URI. And tabs.duplicate is also important because 107 00:10:53,705 --> 00:11:00,567 it allows you to make a exact replica of an already open tab. The next method is 108 00:11:00,567 --> 00:11:07,097 tabs.executeScript. So this is pretty simple. This allows you to execute 109 00:11:07,097 --> 00:11:12,784 JavaScript code and tabs.hide and tabs.reload, which is pretty easy. And 110 00:11:12,784 --> 00:11:19,000 there are so many other methods as well. So out of them. The most interesting one 111 00:11:19,000 --> 00:11:24,375 for me was create and update and also the duplicate method. So let's say if you want 112 00:11:24,375 --> 00:11:31,160 to load a new. So let's say if you want to load bing.com on a new tab using a browser 113 00:11:31,160 --> 00:11:37,900 extension so you can just write this five lines of code that calls 114 00:11:37,900 --> 00:11:44,875 browser.tabs.create. And then it passes a URL which is https www.google.com. So this 115 00:11:44,875 --> 00:11:51,867 is as far as the documentation and this is for the good boys like not for us. So as 116 00:11:51,867 --> 00:11:58,766 an evil mind, like I was interested to know, like what would happen if I tried to 117 00:11:58,766 --> 00:12:05,473 load local files instead of a normal domain? So then I replaced the bing URL 118 00:12:05,473 --> 00:12:13,171 with a particular local file URI to try to figure out like how browser will treat it. 119 00:12:13,171 --> 00:12:19,180 Will it open it or not? So so the next moment Edge gives me this nice error. 120 00:12:19,180 --> 00:12:24,708 Like, ok, I can't reach this page and you make sure you have got the right web 121 00:12:24,708 --> 00:12:30,175 address. That is ms-browser-extension and then the part for the extension and it 122 00:12:30,175 --> 00:12:35,221 appends the file URI part in the last. So basically is assumes that this is a 123 00:12:35,221 --> 00:12:40,135 relative path and I'm going to add it with the extension path and I'm going to try 124 00:12:40,135 --> 00:12:47,378 and I'm going to open it. So since that particular path doesn't exist, it gives us 125 00:12:47,378 --> 00:12:55,255 an error. So this is not a thing with the extension as well. But this is in general 126 00:12:55,255 --> 00:13:00,043 like any of the browser. They don't allow you to load local files at any cost 127 00:13:00,043 --> 00:13:05,525 because this might lead an issue to steal your local systems files so you can see 128 00:13:05,525 --> 00:13:10,281 the image and the Edge and Chrome browsers. So here I am trying to load 129 00:13:10,281 --> 00:13:16,157 local files using the Javascript. So every time it says okay, we are not allowed to 130 00:13:16,157 --> 00:13:23,438 do that because we care about our users and we will protect them. So since we 131 00:13:23,438 --> 00:13:29,746 figured out this browser.tabs.create method was not working for us, the next 132 00:13:29,746 --> 00:13:36,866 method that I was looking for the update. So I tried the same thing with the update 133 00:13:36,866 --> 00:13:43,836 method and somehow it worked for me. So next. Once I figured out, okay, now I can 134 00:13:43,836 --> 00:13:50,117 load the local files. Now I want to load the privileged pages because they're also 135 00:13:50,117 --> 00:13:55,568 interesting for me. And it was also working fine for me at the moment. So here 136 00:13:55,568 --> 00:14:00,921 you can see as well as you click on the open button browser load, say local file 137 00:14:00,921 --> 00:14:07,664 for me and also a privilege page on Edge. So I've reported this back to Microsoft, 138 00:14:07,664 --> 00:14:14,231 but, and they quickly responded back to me saying we don't support download API. So 139 00:14:14,231 --> 00:14:19,075 even if you load the local files, you have no way to steal it. Like, you literally 140 00:14:19,075 --> 00:14:24,445 cannot do anything by loading the local files. And we are not going to fix it. So 141 00:14:24,445 --> 00:14:30,415 I said, okay, let's do it another way. So the next moment the idea came to my mind 142 00:14:30,415 --> 00:14:36,079 is to use the JavaScript URI. A JavaScript URI is something that start with the 143 00:14:36,079 --> 00:14:41,830 Javascript protocol. It has a particular syntax like first javascript and then 144 00:14:41,830 --> 00:14:48,131 colon and then the Javascript code. Here we have a simple examples like as soon as 145 00:14:48,131 --> 00:14:53,587 the a href javascript:alert(1), it gets rendered in the browser and you click on 146 00:14:53,587 --> 00:14:59,460 the test, a Javascript code will pop up on your browser. So the good thing about the 147 00:14:59,460 --> 00:15:05,562 JavaScript URI is that they execute in the main domains reference unlike the data 148 00:15:05,562 --> 00:15:11,397 URIs. So you can look into the image. We have javascript URI and the data URIs as 149 00:15:11,397 --> 00:15:15,533 well, that points to alert document.domain. And one Javascript URI 150 00:15:15,533 --> 00:15:20,984 says I'm on htmleditor.squarefree.com. While the data URI said the null domain. 151 00:15:20,984 --> 00:15:27,767 So basically the data URI was supposed to execute on the main domains reference a 152 00:15:27,767 --> 00:15:33,007 couple of years back, but then it creates a lot of mess with the browser. So browser 153 00:15:33,007 --> 00:15:38,625 vendors they decided to execute in the null domain reference to just to make it 154 00:15:38,625 --> 00:15:44,920 do the safe. So at this point of time I decided, ok Javascript URIs are like the 155 00:15:44,920 --> 00:15:52,952 best candidate for us, so why not try it? So I've tried the same Javascript URI with 156 00:15:52,952 --> 00:16:04,020 browser.tabs.create and again, it was, it doesn't work for me. But again, we have a 157 00:16:04,020 --> 00:16:10,576 friend called dot update method. I tried the same thing with the JavaScript URI 158 00:16:10,576 --> 00:16:14,171 that points to browser.tabs.update, which again calls 159 00:16:14,171 --> 00:16:20,203 javascript:alert(document.domain). And it worked for me this time. So you can figure 160 00:16:20,203 --> 00:16:25,333 it out with this picture. This extension should have able to run on Google dot com. 161 00:16:25,333 --> 00:16:29,683 Now we are on a big dot com and if you click on the open button, we have a 162 00:16:29,683 --> 00:16:35,515 Javascript code execution on bing.com. This is how bad it was, because that's a 163 00:16:35,515 --> 00:16:41,680 total violation of the privacy, because the user believes that this extension 164 00:16:41,680 --> 00:16:47,857 shouldn't be able to run on the other domain, except the google.com. So this was 165 00:16:47,857 --> 00:16:54,355 again reported to the Microsoft saying, okay. So in the last time I reported like 166 00:16:54,355 --> 00:16:59,484 I'm able to load the local files, but you said I'm not going to fix it. And now we 167 00:16:59,484 --> 00:17:04,999 have a JavaScript code execution as well. So then again, they said: Okay, like we 168 00:17:04,999 --> 00:17:10,158 got your concern. We understand what you're trying to say, but can you also 169 00:17:10,158 --> 00:17:16,696 alert users's cookies as well? Like, is it possible to steal the user's cookies? Then 170 00:17:16,696 --> 00:17:21,280 I said, okay, why not? So instead of document or domain, you can just use 171 00:17:21,280 --> 00:17:28,828 document.cookie to pop up users cookies as well. So. Since we have host access 172 00:17:28,828 --> 00:17:37,417 permission bypass on Edge so we can steal Google e-mails, even Facebook data or 173 00:17:37,417 --> 00:17:42,837 anything like that. So to demonstrate this attack, let's suppose we have a simple 174 00:17:42,837 --> 00:17:47,788 Google E-mail. It says, I'm a secret e-mail and I have some coupon code for 175 00:17:47,788 --> 00:17:53,353 thousand dollar cashback. And then there we have some random coupon code. So to 176 00:17:53,353 --> 00:17:59,260 demonstrate this attack, you can see I'm using browser.tabs.update that points to a 177 00:17:59,260 --> 00:18:05,511 certain Javascript URI and what it does is it fetches the particular e-mail with the 178 00:18:05,511 --> 00:18:12,684 particular ID and opens a new tab and send it to the leak.html. And further, what 179 00:18:12,684 --> 00:18:21,321 leak.html does is it copies the value from location.hash and write it onto the page. 180 00:18:21,321 --> 00:18:27,549 So as soon as you click on the open button, if you are on mail.google.com, it 181 00:18:27,549 --> 00:18:32,133 will steal the particular e-mail and display it back on the attackers domain. 182 00:18:32,133 --> 00:18:37,554 So this is how I was able to steal the google e-mails. So this proof of concept 183 00:18:37,554 --> 00:18:43,177 was sent to the Microsoft and the same thing with the local files as well. Like I 184 00:18:43,177 --> 00:18:48,330 thought, okay, now it's working for the domain. Now what if we tried with the same 185 00:18:48,330 --> 00:18:54,005 thing with the local files as well? So yeah, in this case it was, it worked as 186 00:18:54,005 --> 00:18:59,377 well. So if you remember in the last in the past when we were able to load local 187 00:18:59,377 --> 00:19:03,907 files, but Microsoft says, OK, we are not going to fix it because we don't support 188 00:19:03,907 --> 00:19:08,962 download API. And now we have a Javascript code execution on local files as well. So 189 00:19:08,962 --> 00:19:14,345 we can chain both of these bugs to steal the local files as well. So here's a 190 00:19:14,345 --> 00:19:20,823 simple proof of concept. So at first what we are doing is browser.tabs.update that 191 00:19:20,823 --> 00:19:26,620 points to a file URI. And again, browser.tabs.update that points to a 192 00:19:26,620 --> 00:19:34,985 javascript URI. So Microsoft was like, OK. Now we have to fix. But what is next? So 193 00:19:34,985 --> 00:19:43,310 so far we have Javascript code execution on local files. We also have host access 194 00:19:43,310 --> 00:19:49,583 permission bypass. Now what is next? So the next thing that came to my mind is 195 00:19:49,583 --> 00:19:55,063 always the privilege pages, as I already explained the sensitivity of the 196 00:19:55,063 --> 00:20:00,815 privileged pages. So the next moment I was so excited that this will work on the 197 00:20:00,815 --> 00:20:06,526 privileged pages as well. So again, I wrote this five line of code and tried to 198 00:20:06,526 --> 00:20:12,116 execute in reference to about:flags. And surprisingly, it was not, it wasn't 199 00:20:12,116 --> 00:20:17,340 working for me. And I was so surprised, like why this is not working and like 200 00:20:17,340 --> 00:20:22,898 shaking my head, like, what is wrong? So the next moment I was trying to figure out 201 00:20:22,898 --> 00:20:27,650 what is wrong with this implementation, like why it is not working. Maybe there 202 00:20:27,650 --> 00:20:31,812 are some errors in the console. So I try to open the developer console to figure 203 00:20:31,812 --> 00:20:37,041 out the possible errors. But you can see there is no such errors at all. So the 204 00:20:37,041 --> 00:20:43,305 reason for that is most of the pages like the sensitive pages in the browsers like 205 00:20:43,305 --> 00:20:47,775 Chrome, Firefox and even in Edge are protected by the CSP to make sure there 206 00:20:47,775 --> 00:20:51,694 shouldn't be any JavaScript code execution. But we cannot see any CSP 207 00:20:51,694 --> 00:20:57,110 errors here as well, which was pretty strange for me. So then again, I asked to 208 00:20:57,110 --> 00:21:03,200 myself, like, why this black magic is not working on privileged pages. Even when we 209 00:21:03,200 --> 00:21:09,958 don't have the CSP error, maybe this time Edge is playing smart. Do we have any 210 00:21:09,958 --> 00:21:17,912 other way to load about:flags in Edge? Then the next idea that came to my mind is 211 00:21:17,912 --> 00:21:24,215 to use the res protocol. So res protocol is something that is used to fetch some 212 00:21:24,215 --> 00:21:31,056 sort of resources from a module. So instead of about:flags, we can call 213 00:21:31,056 --> 00:21:43,900 res://edgehtml.dll/flag.htm and the next moment it worked. So... 214 00:21:43,900 --> 00:21:48,915 *applause* 215 00:21:48,915 --> 00:21:53,848 Mittal: So this way we have now Javascript code execution on privileged pages as 216 00:21:53,848 --> 00:21:58,895 well, which is pretty bad. So once you have Javascript code execution on 217 00:21:58,895 --> 00:22:05,218 privileged pages, you can enable and disable Adobe Flash Player and there are 218 00:22:05,218 --> 00:22:10,967 other methods, other possible options which we have already discussed, can also 219 00:22:10,967 --> 00:22:15,559 be possible with the same type, with the same thing. So again, what we need to do 220 00:22:15,559 --> 00:22:22,327 is to call browser.tabs.update that points to edgehtml.dll/flags.htm. And again, a 221 00:22:22,327 --> 00:22:30,155 file, again some sort of javascript URI to fetch, get element by ID and then click on 222 00:22:30,155 --> 00:22:37,250 it. So it will toggle the Adobe Flash Player setting on the Edge. Again, what is 223 00:22:37,250 --> 00:22:44,130 next? So this was pretty enough for me. But again, like I was trying to figure out 224 00:22:44,130 --> 00:22:50,495 if we can do something else as well. And then I start with the reading mode. So a 225 00:22:50,495 --> 00:22:56,654 reading more is a feature implemented in Edge, which renders a page in a way that 226 00:22:56,654 --> 00:23:01,571 is like kind of pretty easy to read. So in this process, Edge makes sure that there 227 00:23:01,571 --> 00:23:07,378 shouldn't be any Javascript code execution on the page. The main purpose for reading 228 00:23:07,378 --> 00:23:12,898 mode is that to provide the users, to provide a simplified page to the users. So 229 00:23:12,898 --> 00:23:16,858 basically there should not be any advertisement or something like that. So 230 00:23:16,858 --> 00:23:20,576 for that reason, browser vendors, they make sure there shouldn't be any 231 00:23:20,576 --> 00:23:26,149 Javascript code execution on reading mode. And there was one bug with the reading 232 00:23:26,149 --> 00:23:32,990 mode as well, like you cannot put any document in the reader mode until unless 233 00:23:32,990 --> 00:23:40,205 browser identified its compatibility. But you can append the read: protocol in the 234 00:23:40,205 --> 00:23:46,437 in the first and then the URL that points to some sort of domain and then Edge will 235 00:23:46,437 --> 00:23:51,693 load the particular resources in the reading mode as well. So fortunately, I 236 00:23:51,693 --> 00:23:57,473 tried the same attack on the reading mode as well. But since the reading more was 237 00:23:57,473 --> 00:24:03,050 protected with their certain CSP and then, so you can see the CSP error. It says we 238 00:24:03,050 --> 00:24:09,204 do not allow inline script and it really blocked by the Edge. So reading mode was 239 00:24:09,204 --> 00:24:15,746 kind of safe, at least for the test cases, but in some certain test cases it worked 240 00:24:15,746 --> 00:24:22,130 for me, but I was not able to I was not able to reproduce it further. So that's 241 00:24:22,130 --> 00:24:27,612 why I marked it as safe. The other possible features we can have is the 242 00:24:27,612 --> 00:24:32,391 Javascript code execution on other extension pages. Like again, you can 243 00:24:32,391 --> 00:24:37,805 imagine a situation: We have... You can imagine a situation when one extension is 244 00:24:37,805 --> 00:24:42,981 able to disable another extension in browser, like how bad it will be. So 245 00:24:42,981 --> 00:24:48,635 again, now we are on a internal page that belongs to Adblock Plus. And if we tried 246 00:24:48,635 --> 00:24:56,147 to run our extension on this page, then again, we have a CSP violation issues. So 247 00:24:56,147 --> 00:25:03,472 that was safe. The next thing was some CSP privilege issues because the host 248 00:25:03,472 --> 00:25:09,586 permission will not work if there is any CSP error. So next, I tried to figure out 249 00:25:09,586 --> 00:25:16,416 if we can use the execute script API to figure out how to deal with the CSP. So 250 00:25:16,416 --> 00:25:23,747 let's assume we have a page where the CSP is implemented properly and we have a host 251 00:25:23,747 --> 00:25:30,044 permission for the same. So you can see the code where we are saying the content 252 00:25:30,044 --> 00:25:35,758 security policy, which is set to default- src self. And we are using 253 00:25:35,758 --> 00:25:42,035 browser.tabs.executeScript which this code and then where we have to pass the 254 00:25:42,035 --> 00:25:47,638 JavaScript code, which is a simple alert(document.domain). So the way 255 00:25:47,638 --> 00:25:56,831 extensions deal with the CSP is that most of the browsers, they will allow 256 00:25:56,831 --> 00:26:03,245 Javascript from any extensions until unless they will try to change the DOM 257 00:26:03,245 --> 00:26:09,635 tree of particular documents. So let's suppose we have the first example right 258 00:26:09,635 --> 00:26:15,944 here. In this case, so as I said, let's assume we are on a page which has a 259 00:26:15,944 --> 00:26:22,303 perfect CSP in place like this. And we tried to change the DOM for that 260 00:26:22,303 --> 00:26:29,558 particular page. So the possible base we have is either we can use document.write 261 00:26:29,558 --> 00:26:35,805 or we can use document.body.innerHTML and then insert the Javascript code. And then 262 00:26:35,805 --> 00:26:41,505 the other possible way we have is to generate a random element and then write 263 00:26:41,505 --> 00:26:48,374 inside it. So all these ways to manipulate the particular DOM tree on a CSP protected 264 00:26:48,374 --> 00:26:54,715 page was not allowed by most of the browsers like Firefox and Chrome, but it 265 00:26:54,715 --> 00:27:00,927 was not protected in case of Edge like the executeScript API as straightforward as 266 00:27:00,927 --> 00:27:05,872 execute any of the Javascript code on any domain, whether you try to change on, 267 00:27:05,872 --> 00:27:12,316 whether you tried to change the DOM on a CSP protected page or not. Like it doesn't 268 00:27:12,316 --> 00:27:19,290 matter for it. So to conclude with this presentation is that Edge extensions are 269 00:27:19,290 --> 00:27:26,273 still in development. Most of the APIs are not supported till the time because and 270 00:27:26,273 --> 00:27:32,100 the Edge that it has moved to the new Chromium based browser as well. So I'm not 271 00:27:32,100 --> 00:27:37,247 sure whether there is started developing extensions API or not, but the ActiveTab 272 00:27:37,247 --> 00:27:43,461 is one of the interested permission to work on because it allows you to execute 273 00:27:43,461 --> 00:27:49,883 Javascript code on the current domain. So if you are able to perform the same sort 274 00:27:49,883 --> 00:27:55,334 of the same attack of the tabs API as well. So pretty much you can have all what 275 00:27:55,334 --> 00:28:00,859 I presented here as well. So Microsoft, they finally decided to fix this bug in 276 00:28:00,859 --> 00:28:08,684 March 19 update with the highest possible bounty they have with the CVE-2019-0678. 277 00:28:08,684 --> 00:28:14,887 Now, that's it. 278 00:28:14,887 --> 00:28:21,347 Herald: So thank you, Nikhil for an interesting talk. If you have questions 279 00:28:21,347 --> 00:28:24,940 about the talk, we have three microphones, one, two and three in each one of the 280 00:28:24,940 --> 00:28:28,760 aisles. If you have a question, please come to the microphone. We'll start from 281 00:28:28,760 --> 00:28:33,470 microphone number three. Question: Hi. And thank you for the 282 00:28:33,470 --> 00:28:42,290 interesting talk. I have one question. Is this back or is this API also relevant for 283 00:28:42,290 --> 00:28:47,285 the new, for the new Edge coming in January based on Chromium engine? 284 00:28:47,285 --> 00:28:55,250 Mittal: No, I guess. So the APIs are the same, but since the new Edge is running on 285 00:28:55,250 --> 00:29:04,220 Chrome so they will not support this API because of they use some others calling 286 00:29:04,220 --> 00:29:08,810 conventions, I guess, I believe. Does that answer your question? 287 00:29:08,810 --> 00:29:12,110 Q: Yeah. But I have a second one. Herald: Yeah. Go for it. 288 00:29:12,110 --> 00:29:20,870 Q: Okay. And the second one is you tried to open the pages via the res Protocol. 289 00:29:20,870 --> 00:29:28,850 But the functionality of those pages, is it also handled by Edge while opening it 290 00:29:28,850 --> 00:29:32,600 through the res protocol, not about the about protocol? 291 00:29:32,600 --> 00:29:36,560 Mittal: Yes, I guess. Q: Okay. They were also working? 292 00:29:36,560 --> 00:29:38,840 Mittal: Yeah. Q: Okay. Thank you. 293 00:29:38,840 --> 00:29:45,050 Herald: Any more questions from the crowd or from the internet? Okay. Then another 294 00:29:45,050 --> 00:29:46,658 round of applause for Nikhil for a great talk. 295 00:29:46,658 --> 00:30:13,665 *36c3 outro music*