[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:00.50,Default,,0000,0000,0000,,*36C3 preroll music*
Dialogue: 0,0:00:00.50,0:00:23.20,Default,,0000,0000,0000,,Herald: The next speaker works as a\Nsecurity consultant at Payatu software
Dialogue: 0,0:00:23.20,0:00:28.18,Default,,0000,0000,0000,,labs, and he loves finding security flaws\Nin the Microsoft Edge browser. And
Dialogue: 0,0:00:28.18,0:00:33.40,Default,,0000,0000,0000,,incidentally, this is the topic for this\Nnext talk. So please give a big round of
Dialogue: 0,0:00:33.40,0:00:35.11,Default,,0000,0000,0000,,applause to Nikhil Mittal.
Dialogue: 0,0:00:35.11,0:00:35.16,Default,,0000,0000,0000,,*applause*
Dialogue: 0,0:00:35.16,0:00:49.87,Default,,0000,0000,0000,,Nikhil Mittal: So, welcome to the talk:\NBreaking Microsoft Edge Extensions
Dialogue: 0,0:00:49.87,0:00:55.90,Default,,0000,0000,0000,,Security Policies. My name is Nikhil, I\Nwork at Payatu Labs. And I am into web
Dialogue: 0,0:00:55.90,0:01:01.06,Default,,0000,0000,0000,,browser vulnerability research. So to\Nstart with this presentation, I would like
Dialogue: 0,0:01:01.06,0:01:06.85,Default,,0000,0000,0000,,to know how many of you uses browser\Nextensions in general, like... Oh, nice.
Dialogue: 0,0:01:06.85,0:01:13.66,Default,,0000,0000,0000,,So many of us. OK. So a browser extension\Nis something that extends the
Dialogue: 0,0:01:13.66,0:01:18.82,Default,,0000,0000,0000,,functionality of your web browsers. We\Nhave a typical examples like Adblock Plus,
Dialogue: 0,0:01:18.82,0:01:25.66,Default,,0000,0000,0000,,which I think most of the people uses to\Nblock the ads on some certain sites like
Dialogue: 0,0:01:25.66,0:01:32.47,Default,,0000,0000,0000,,YouTube. And Grammarly and some sort of\Npassword managers as well. So these
Dialogue: 0,0:01:32.47,0:01:37.93,Default,,0000,0000,0000,,extensions are capable of managing most of\Nyour data because they can handle the
Dialogue: 0,0:01:37.93,0:01:44.20,Default,,0000,0000,0000,,cookies, bookmarks, storage, passwords,\Nhistory and what not. So that being said,
Dialogue: 0,0:01:44.20,0:01:49.87,Default,,0000,0000,0000,,we all have to agree on a point that these\Nextensions are powerful, because they can
Dialogue: 0,0:01:49.87,0:01:54.73,Default,,0000,0000,0000,,deal with your cookies, bookmarks and\Nother sensitive information in the
Dialogue: 0,0:01:54.73,0:02:03.76,Default,,0000,0000,0000,,browsers. So here is how simple AdBlock\NPlus extension looks like on Microsoft
Dialogue: 0,0:02:03.76,0:02:10.60,Default,,0000,0000,0000,,Edge, which is pretty much doing its job.\NNow. Have you ever tried to figure out
Dialogue: 0,0:02:10.60,0:02:17.83,Default,,0000,0000,0000,,what this extension is capable of doing in\Nyour browser? So if you look at the
Dialogue: 0,0:02:17.83,0:02:23.44,Default,,0000,0000,0000,,settings. Here we have a couple of\Npermissions, which I've listed down on the
Dialogue: 0,0:02:23.44,0:02:29.95,Default,,0000,0000,0000,,next slide. So it's simple Adblock Plus\Nextension, can read and change content on
Dialogue: 0,0:02:29.95,0:02:34.63,Default,,0000,0000,0000,,websites that you visit. It can read and\Nchange your favorites. It can see the
Dialogue: 0,0:02:34.63,0:02:39.34,Default,,0000,0000,0000,,websites you visit. It can read and change\Nanything you send or receive. And it can
Dialogue: 0,0:02:39.34,0:02:44.44,Default,,0000,0000,0000,,also store personal browsing data on your\Nbrowser and it can also display
Dialogue: 0,0:02:44.44,0:02:50.56,Default,,0000,0000,0000,,notifications as well. So there are so\Nmany things a simple Adblock Plus
Dialogue: 0,0:02:50.56,0:02:57.94,Default,,0000,0000,0000,,extension can able to do in your browser.\NSo you might ask like how browsers
Dialogue: 0,0:02:57.94,0:03:03.55,Default,,0000,0000,0000,,recognize these permissions, like a\Nextension is able to do so many things in
Dialogue: 0,0:03:03.55,0:03:07.99,Default,,0000,0000,0000,,my browser. But how does browser recognize\Nlike where are these permissions coming
Dialogue: 0,0:03:07.99,0:03:16.72,Default,,0000,0000,0000,,from? So here is a permission modeling\Nbrowser extensions. So under the source of
Dialogue: 0,0:03:16.72,0:03:23.14,Default,,0000,0000,0000,,every extensions, we have a file called as\Nmanifest.json and inside of manifest.json
Dialogue: 0,0:03:23.14,0:03:30.22,Default,,0000,0000,0000,,file we have a permission area. So, here's\Na quick example of a permission area,
Dialogue: 0,0:03:30.22,0:03:37.03,Default,,0000,0000,0000,,where we have some permissions. So the\Nfirst one is a https://www.google.com,
Dialogue: 0,0:03:37.03,0:03:42.19,Default,,0000,0000,0000,,which we'll see right after this slide.\NThe next permission we have is bookmarks
Dialogue: 0,0:03:42.19,0:03:49.81,Default,,0000,0000,0000,,and cookies, history, storage and tabs. So\Nlet's suppose an extension has a
Dialogue: 0,0:03:49.81,0:03:54.49,Default,,0000,0000,0000,,permissions with the bookmarks and\Ncookies. So that means that extension can
Dialogue: 0,0:03:54.49,0:03:59.50,Default,,0000,0000,0000,,handle your bookmarks. It can manipulate\Nthem. It can edit them. It can remove them
Dialogue: 0,0:03:59.50,0:04:03.94,Default,,0000,0000,0000,,and what not. So the same goes with the\Ncookies, history as well. And there are
Dialogue: 0,0:04:03.94,0:04:12.91,Default,,0000,0000,0000,,other important permissions as well\Navailable for the browsers. So apart from
Dialogue: 0,0:04:12.91,0:04:19.48,Default,,0000,0000,0000,,these permissions, the most interesting\Npermission that I was looking for is the
Dialogue: 0,0:04:19.48,0:04:23.26,Default,,0000,0000,0000,,host access permissions. So the host\Naccess permission is something that
Dialogue: 0,0:04:23.26,0:04:28.45,Default,,0000,0000,0000,,defines on which certain domains your\Nbrowser extensions should able to run. So
Dialogue: 0,0:04:28.45,0:04:32.74,Default,,0000,0000,0000,,in this case, let's suppose we have\Nassigned a permissions to a
Dialogue: 0,0:04:32.74,0:04:39.94,Default,,0000,0000,0000,,https://www.google.com. So that means this\Nextension should able to run on Google.com
Dialogue: 0,0:04:39.94,0:04:45.46,Default,,0000,0000,0000,,only, not even the subdomain that is\Ndeveloper.google.com or mail.google.com.
Dialogue: 0,0:04:45.46,0:04:51.49,Default,,0000,0000,0000,,So this you can also verify with the tiny\Nbox that says this is allowed to read and
Dialogue: 0,0:04:51.49,0:04:58.24,Default,,0000,0000,0000,,change content on some sites\Nwww.google.com. Now the second permission
Dialogue: 0,0:04:58.24,0:05:05.17,Default,,0000,0000,0000,,we could have in this here is\Nhttps://*.google.com. So basically this
Dialogue: 0,0:05:05.17,0:05:11.50,Default,,0000,0000,0000,,also covers the subdomains as well. And\Nthe third possible permission we can have
Dialogue: 0,0:05:11.50,0:05:19.51,Default,,0000,0000,0000,,is *://*.google.com. So basically this is\Nnow not only I'll work on google.com, but
Dialogue: 0,0:05:19.51,0:05:26.23,Default,,0000,0000,0000,,basically on all the protocols as well,\Nwhich is HTTP, HTTPS, might be FTP. That
Dialogue: 0,0:05:26.23,0:05:32.38,Default,,0000,0000,0000,,belongs to the particular domain. So apart\Nfrom these three permissions, we have the
Dialogue: 0,0:05:32.38,0:05:37.90,Default,,0000,0000,0000,,another permission in the roll, which is\N. This permission is so special
Dialogue: 0,0:05:37.90,0:05:44.80,Default,,0000,0000,0000,,because once a browser extension is\Nassigned to all_urls permissions that can
Dialogue: 0,0:05:44.80,0:05:50.11,Default,,0000,0000,0000,,execute Javascript code on every domain\Nthat you visit. So let's suppose you are
Dialogue: 0,0:05:50.11,0:05:55.45,Default,,0000,0000,0000,,on google.com or maybe you're on bing.com\Nor anything else it will work on most
Dialogue: 0,0:05:55.45,0:06:03.85,Default,,0000,0000,0000,,probably on every domain. But there are\Nfew restrictions with the all_urls
Dialogue: 0,0:06:04.36,0:06:10.33,Default,,0000,0000,0000,,permissions. That is, it cannot run on\Nprivileged pages. So if privileged pages
Dialogue: 0,0:06:10.33,0:06:16.27,Default,,0000,0000,0000,,in browser is something that contains some\Nsort of sensitive settings on your browser
Dialogue: 0,0:06:16.27,0:06:22.45,Default,,0000,0000,0000,,data, so you might heard of\Nchrome://settings, which contains the
Dialogue: 0,0:06:22.45,0:06:28.15,Default,,0000,0000,0000,,password manager for Chrome. And also you\Ncan identify the credit card and debit
Dialogue: 0,0:06:28.15,0:06:34.42,Default,,0000,0000,0000,,card information on chrome://settings as\Nwell. So you can imagine a situation once
Dialogue: 0,0:06:34.42,0:06:39.49,Default,,0000,0000,0000,,the extension is able to run a Javascript\Ncode on Chrome setting page then it can
Dialogue: 0,0:06:39.49,0:06:44.35,Default,,0000,0000,0000,,probably read, or it can steal all of your\Npasswords and credit and debit card
Dialogue: 0,0:06:44.35,0:06:49.63,Default,,0000,0000,0000,,information as well. So on the Edge, we\Nhave a similar page, which is about:flags.
Dialogue: 0,0:06:50.23,0:06:59.24,Default,,0000,0000,0000,,So here you can see one extension with\N permission is assigned. It can
Dialogue: 0,0:06:59.24,0:07:06.11,Default,,0000,0000,0000,,read and change content on websites you\Nvisit. As for the Edge. So here's a quick
Dialogue: 0,0:07:06.11,0:07:11.75,Default,,0000,0000,0000,,snap of about:flags in Edge. And so if you\Nlook at the first part, you will figure
Dialogue: 0,0:07:11.75,0:07:17.12,Default,,0000,0000,0000,,out there are a few embedded permissions.\NLike you can enable Adobe Flash Player.
Dialogue: 0,0:07:17.12,0:07:23.57,Default,,0000,0000,0000,,You can also enable developer features.\NAnd also you can enable and disable allow
Dialogue: 0,0:07:23.57,0:07:28.73,Default,,0000,0000,0000,,an unrestricted memory consumption for the\NWeb pages as well. And it also has some
Dialogue: 0,0:07:28.73,0:07:33.50,Default,,0000,0000,0000,,standard previews features, like you can\Nenable / disable some experimental
Dialogue: 0,0:07:33.50,0:07:37.70,Default,,0000,0000,0000,,Javascript features as well. So now you\Ncan imagine what the sensitivity of this
Dialogue: 0,0:07:37.70,0:07:45.56,Default,,0000,0000,0000,,page contains, okay? So let's quickly\Nbuild an extension. So that will break
Dialogue: 0,0:07:45.56,0:07:51.29,Default,,0000,0000,0000,,most of the things in Edge. So as I said,\Nevery extension has a manifest.json file
Dialogue: 0,0:07:51.29,0:07:58.43,Default,,0000,0000,0000,,which has all the permission and other\Nconfigurations. The second file that we
Dialogue: 0,0:07:58.43,0:08:03.98,Default,,0000,0000,0000,,will be needing is popup.html. So\Npopup.html is nothing, but it's just
Dialogue: 0,0:08:03.98,0:08:08.33,Default,,0000,0000,0000,,interface for the browser extension. So\Nbasically you might have noticed as soon
Dialogue: 0,0:08:08.33,0:08:13.49,Default,,0000,0000,0000,,as you click on any of the browser\Nextension, a pop up appears on your window
Dialogue: 0,0:08:13.49,0:08:18.92,Default,,0000,0000,0000,,for that contain some sort of functions.\NThat is nothing but just a popup.html
Dialogue: 0,0:08:18.92,0:08:25.13,Default,,0000,0000,0000,,file. And then again we have a popup.js\Nwhich has all the Javascript code that
Dialogue: 0,0:08:25.13,0:08:32.39,Default,,0000,0000,0000,,executes according to the actions chosen\Nby the popup.html. So this is how our
Dialogue: 0,0:08:32.39,0:08:38.87,Default,,0000,0000,0000,,extension should have looked. And on the\Nedge. So we have seen a tiny Microsoft
Dialogue: 0,0:08:38.87,0:08:44.63,Default,,0000,0000,0000,,logo and as soon as you click on it, a\Npopup will appear. It says, I am the evil
Dialogue: 0,0:08:44.63,0:08:49.91,Default,,0000,0000,0000,,extension and I have two options. The\Nfirst one is open. The second one is
Dialogue: 0,0:08:49.91,0:08:54.92,Default,,0000,0000,0000,,execute. So as soon as you click on the\Nopen button, what it does is it will load
Dialogue: 0,0:08:54.92,0:08:59.72,Default,,0000,0000,0000,,google.com on the browser. And as soon as\Nyou click on the execute button, it will
Dialogue: 0,0:08:59.72,0:09:05.30,Default,,0000,0000,0000,,just alert(1) for you. So basically. So\Nbasically the interface is written in
Dialogue: 0,0:09:05.90,0:09:11.30,Default,,0000,0000,0000,,popup.html. And again, as soon as you\Nclick on execute, so the work is done by
Dialogue: 0,0:09:11.30,0:09:17.39,Default,,0000,0000,0000,,popup.js. So let's quickly look at the\Nsource code for the manifest.json file.
Dialogue: 0,0:09:17.39,0:09:23.60,Default,,0000,0000,0000,,The thing to notice here is that you can\Nfigure out the permission area on line
Dialogue: 0,0:09:23.60,0:09:30.65,Default,,0000,0000,0000,,number 10, which is set to\Nhttp://www.google.com. That means it's
Dialogue: 0,0:09:30.65,0:09:35.87,Default,,0000,0000,0000,,clear that this extension should be able\Nto run on google.com only. I mean not on
Dialogue: 0,0:09:35.87,0:09:43.58,Default,,0000,0000,0000,,the subdomains even. So here's the source\Ncode for the popup.html, which is just a
Dialogue: 0,0:09:43.58,0:09:47.78,Default,,0000,0000,0000,,simple HTML file that has two buttons. The\Nfirst one is open, the second one is
Dialogue: 0,0:09:47.78,0:09:56.15,Default,,0000,0000,0000,,execute. And it has a popup.js at the end.\NSo here we have the popup.js. So in very
Dialogue: 0,0:09:56.15,0:10:01.31,Default,,0000,0000,0000,,brief manner. What it does is as soon as\Nyou click on the open button, it loads
Dialogue: 0,0:10:01.31,0:10:06.23,Default,,0000,0000,0000,,google.com. And as soon as you click on\Nthe execute button, it calls the
Dialogue: 0,0:10:06.23,0:10:15.98,Default,,0000,0000,0000,,JavaScript. It alerts document.domain for\Nyou. So there are so many APIs available
Dialogue: 0,0:10:15.98,0:10:20.96,Default,,0000,0000,0000,,for the browser extensions that you can\Nuse like history API and some sort of
Dialogue: 0,0:10:20.96,0:10:28.46,Default,,0000,0000,0000,,proxys API, tabs API. But for me this tabs\NAPI was so interesting because it allows
Dialogue: 0,0:10:28.46,0:10:36.44,Default,,0000,0000,0000,,you to play with different tabs like it\Nhas some function, methods inside, like
Dialogue: 0,0:10:37.37,0:10:42.17,Default,,0000,0000,0000,,tabs.create. So what it does is it allows\Nyou to create a new tab with any arbitrary
Dialogue: 0,0:10:42.17,0:10:48.77,Default,,0000,0000,0000,,domain and it also has tabs.update. And\Nwhat it does is it allows you to update
Dialogue: 0,0:10:48.77,0:10:53.70,Default,,0000,0000,0000,,the page with the next URI. And\Ntabs.duplicate is also important because
Dialogue: 0,0:10:53.70,0:11:00.57,Default,,0000,0000,0000,,it allows you to make a exact replica of\Nan already open tab. The next method is
Dialogue: 0,0:11:00.57,0:11:07.10,Default,,0000,0000,0000,,tabs.executeScript. So this is pretty\Nsimple. This allows you to execute
Dialogue: 0,0:11:07.10,0:11:12.78,Default,,0000,0000,0000,,JavaScript code and tabs.hide and\Ntabs.reload, which is pretty easy. And
Dialogue: 0,0:11:12.78,0:11:19.00,Default,,0000,0000,0000,,there are so many other methods as well.\NSo out of them. The most interesting one
Dialogue: 0,0:11:19.00,0:11:24.38,Default,,0000,0000,0000,,for me was create and update and also the\Nduplicate method. So let's say if you want
Dialogue: 0,0:11:24.38,0:11:31.16,Default,,0000,0000,0000,,to load a new. So let's say if you want to\Nload bing.com on a new tab using a browser
Dialogue: 0,0:11:31.16,0:11:37.90,Default,,0000,0000,0000,,extension so you can just write this five\Nlines of code that calls
Dialogue: 0,0:11:37.90,0:11:44.88,Default,,0000,0000,0000,,browser.tabs.create. And then it passes a\NURL which is https www.google.com. So this
Dialogue: 0,0:11:44.88,0:11:51.87,Default,,0000,0000,0000,,is as far as the documentation and this is\Nfor the good boys like not for us. So as
Dialogue: 0,0:11:51.87,0:11:58.77,Default,,0000,0000,0000,,an evil mind, like I was interested to\Nknow, like what would happen if I tried to
Dialogue: 0,0:11:58.77,0:12:05.47,Default,,0000,0000,0000,,load local files instead of a normal\Ndomain? So then I replaced the bing URL
Dialogue: 0,0:12:05.47,0:12:13.17,Default,,0000,0000,0000,,with a particular local file URI to try to\Nfigure out like how browser will treat it.
Dialogue: 0,0:12:13.17,0:12:19.18,Default,,0000,0000,0000,,Will it open it or not? So so the next\Nmoment Edge gives me this nice error.
Dialogue: 0,0:12:19.18,0:12:24.71,Default,,0000,0000,0000,,Like, ok, I can't reach this page and you\Nmake sure you have got the right web
Dialogue: 0,0:12:24.71,0:12:30.18,Default,,0000,0000,0000,,address. That is ms-browser-extension and\Nthen the part for the extension and it
Dialogue: 0,0:12:30.18,0:12:35.22,Default,,0000,0000,0000,,appends the file URI part in the last. So\Nbasically is assumes that this is a
Dialogue: 0,0:12:35.22,0:12:40.14,Default,,0000,0000,0000,,relative path and I'm going to add it with\Nthe extension path and I'm going to try
Dialogue: 0,0:12:40.14,0:12:47.38,Default,,0000,0000,0000,,and I'm going to open it. So since that\Nparticular path doesn't exist, it gives us
Dialogue: 0,0:12:47.38,0:12:55.26,Default,,0000,0000,0000,,an error. So this is not a thing with the\Nextension as well. But this is in general
Dialogue: 0,0:12:55.26,0:13:00.04,Default,,0000,0000,0000,,like any of the browser. They don't allow\Nyou to load local files at any cost
Dialogue: 0,0:13:00.04,0:13:05.52,Default,,0000,0000,0000,,because this might lead an issue to steal\Nyour local systems files so you can see
Dialogue: 0,0:13:05.52,0:13:10.28,Default,,0000,0000,0000,,the image and the Edge and Chrome\Nbrowsers. So here I am trying to load
Dialogue: 0,0:13:10.28,0:13:16.16,Default,,0000,0000,0000,,local files using the Javascript. So every\Ntime it says okay, we are not allowed to
Dialogue: 0,0:13:16.16,0:13:23.44,Default,,0000,0000,0000,,do that because we care about our users\Nand we will protect them. So since we
Dialogue: 0,0:13:23.44,0:13:29.75,Default,,0000,0000,0000,,figured out this browser.tabs.create\Nmethod was not working for us, the next
Dialogue: 0,0:13:29.75,0:13:36.87,Default,,0000,0000,0000,,method that I was looking for the update.\NSo I tried the same thing with the update
Dialogue: 0,0:13:36.87,0:13:43.84,Default,,0000,0000,0000,,method and somehow it worked for me. So\Nnext. Once I figured out, okay, now I can
Dialogue: 0,0:13:43.84,0:13:50.12,Default,,0000,0000,0000,,load the local files. Now I want to load\Nthe privileged pages because they're also
Dialogue: 0,0:13:50.12,0:13:55.57,Default,,0000,0000,0000,,interesting for me. And it was also\Nworking fine for me at the moment. So here
Dialogue: 0,0:13:55.57,0:14:00.92,Default,,0000,0000,0000,,you can see as well as you click on the\Nopen button browser load, say local file
Dialogue: 0,0:14:00.92,0:14:07.66,Default,,0000,0000,0000,,for me and also a privilege page on Edge.\NSo I've reported this back to Microsoft,
Dialogue: 0,0:14:07.66,0:14:14.23,Default,,0000,0000,0000,,but, and they quickly responded back to me\Nsaying we don't support download API. So
Dialogue: 0,0:14:14.23,0:14:19.08,Default,,0000,0000,0000,,even if you load the local files, you have\Nno way to steal it. Like, you literally
Dialogue: 0,0:14:19.08,0:14:24.44,Default,,0000,0000,0000,,cannot do anything by loading the local\Nfiles. And we are not going to fix it. So
Dialogue: 0,0:14:24.44,0:14:30.42,Default,,0000,0000,0000,,I said, okay, let's do it another way. So\Nthe next moment the idea came to my mind
Dialogue: 0,0:14:30.42,0:14:36.08,Default,,0000,0000,0000,,is to use the JavaScript URI. A JavaScript\NURI is something that start with the
Dialogue: 0,0:14:36.08,0:14:41.83,Default,,0000,0000,0000,,Javascript protocol. It has a particular\Nsyntax like first javascript and then
Dialogue: 0,0:14:41.83,0:14:48.13,Default,,0000,0000,0000,,colon and then the Javascript code. Here\Nwe have a simple examples like as soon as
Dialogue: 0,0:14:48.13,0:14:53.59,Default,,0000,0000,0000,,the a href javascript:alert(1), it gets\Nrendered in the browser and you click on
Dialogue: 0,0:14:53.59,0:14:59.46,Default,,0000,0000,0000,,the test, a Javascript code will pop up on\Nyour browser. So the good thing about the
Dialogue: 0,0:14:59.46,0:15:05.56,Default,,0000,0000,0000,,JavaScript URI is that they execute in the\Nmain domains reference unlike the data
Dialogue: 0,0:15:05.56,0:15:11.40,Default,,0000,0000,0000,,URIs. So you can look into the image. We\Nhave javascript URI and the data URIs as
Dialogue: 0,0:15:11.40,0:15:15.53,Default,,0000,0000,0000,,well, that points to alert\Ndocument.domain. And one Javascript URI
Dialogue: 0,0:15:15.53,0:15:20.98,Default,,0000,0000,0000,,says I'm on htmleditor.squarefree.com.\NWhile the data URI said the null domain.
Dialogue: 0,0:15:20.98,0:15:27.77,Default,,0000,0000,0000,,So basically the data URI was supposed to\Nexecute on the main domains reference a
Dialogue: 0,0:15:27.77,0:15:33.01,Default,,0000,0000,0000,,couple of years back, but then it creates\Na lot of mess with the browser. So browser
Dialogue: 0,0:15:33.01,0:15:38.62,Default,,0000,0000,0000,,vendors they decided to execute in the\Nnull domain reference to just to make it
Dialogue: 0,0:15:38.62,0:15:44.92,Default,,0000,0000,0000,,do the safe. So at this point of time I\Ndecided, ok Javascript URIs are like the
Dialogue: 0,0:15:44.92,0:15:52.95,Default,,0000,0000,0000,,best candidate for us, so why not try it?\NSo I've tried the same Javascript URI with
Dialogue: 0,0:15:52.95,0:16:04.02,Default,,0000,0000,0000,,browser.tabs.create and again, it was, it\Ndoesn't work for me. But again, we have a
Dialogue: 0,0:16:04.02,0:16:10.58,Default,,0000,0000,0000,,friend called dot update method. I tried\Nthe same thing with the JavaScript URI
Dialogue: 0,0:16:10.58,0:16:14.17,Default,,0000,0000,0000,,that points to browser.tabs.update, which\Nagain calls
Dialogue: 0,0:16:14.17,0:16:20.20,Default,,0000,0000,0000,,javascript:alert(document.domain). And it\Nworked for me this time. So you can figure
Dialogue: 0,0:16:20.20,0:16:25.33,Default,,0000,0000,0000,,it out with this picture. This extension\Nshould have able to run on Google dot com.
Dialogue: 0,0:16:25.33,0:16:29.68,Default,,0000,0000,0000,,Now we are on a big dot com and if you\Nclick on the open button, we have a
Dialogue: 0,0:16:29.68,0:16:35.52,Default,,0000,0000,0000,,Javascript code execution on bing.com.\NThis is how bad it was, because that's a
Dialogue: 0,0:16:35.52,0:16:41.68,Default,,0000,0000,0000,,total violation of the privacy, because\Nthe user believes that this extension
Dialogue: 0,0:16:41.68,0:16:47.86,Default,,0000,0000,0000,,shouldn't be able to run on the other\Ndomain, except the google.com. So this was
Dialogue: 0,0:16:47.86,0:16:54.36,Default,,0000,0000,0000,,again reported to the Microsoft saying,\Nokay. So in the last time I reported like
Dialogue: 0,0:16:54.36,0:16:59.48,Default,,0000,0000,0000,,I'm able to load the local files, but you\Nsaid I'm not going to fix it. And now we
Dialogue: 0,0:16:59.48,0:17:04.100,Default,,0000,0000,0000,,have a JavaScript code execution as well.\NSo then again, they said: Okay, like we
Dialogue: 0,0:17:04.100,0:17:10.16,Default,,0000,0000,0000,,got your concern. We understand what\Nyou're trying to say, but can you also
Dialogue: 0,0:17:10.16,0:17:16.70,Default,,0000,0000,0000,,alert users's cookies as well? Like, is it\Npossible to steal the user's cookies? Then
Dialogue: 0,0:17:16.70,0:17:21.28,Default,,0000,0000,0000,,I said, okay, why not? So instead of\Ndocument or domain, you can just use
Dialogue: 0,0:17:21.28,0:17:28.83,Default,,0000,0000,0000,,document.cookie to pop up users cookies as\Nwell. So. Since we have host access
Dialogue: 0,0:17:28.83,0:17:37.42,Default,,0000,0000,0000,,permission bypass on Edge so we can steal\NGoogle e-mails, even Facebook data or
Dialogue: 0,0:17:37.42,0:17:42.84,Default,,0000,0000,0000,,anything like that. So to demonstrate this\Nattack, let's suppose we have a simple
Dialogue: 0,0:17:42.84,0:17:47.79,Default,,0000,0000,0000,,Google E-mail. It says, I'm a secret\Ne-mail and I have some coupon code for
Dialogue: 0,0:17:47.79,0:17:53.35,Default,,0000,0000,0000,,thousand dollar cashback. And then there\Nwe have some random coupon code. So to
Dialogue: 0,0:17:53.35,0:17:59.26,Default,,0000,0000,0000,,demonstrate this attack, you can see I'm\Nusing browser.tabs.update that points to a
Dialogue: 0,0:17:59.26,0:18:05.51,Default,,0000,0000,0000,,certain Javascript URI and what it does is\Nit fetches the particular e-mail with the
Dialogue: 0,0:18:05.51,0:18:12.68,Default,,0000,0000,0000,,particular ID and opens a new tab and send\Nit to the leak.html. And further, what
Dialogue: 0,0:18:12.68,0:18:21.32,Default,,0000,0000,0000,,leak.html does is it copies the value from\Nlocation.hash and write it onto the page.
Dialogue: 0,0:18:21.32,0:18:27.55,Default,,0000,0000,0000,,So as soon as you click on the open\Nbutton, if you are on mail.google.com, it
Dialogue: 0,0:18:27.55,0:18:32.13,Default,,0000,0000,0000,,will steal the particular e-mail and\Ndisplay it back on the attackers domain.
Dialogue: 0,0:18:32.13,0:18:37.55,Default,,0000,0000,0000,,So this is how I was able to steal the\Ngoogle e-mails. So this proof of concept
Dialogue: 0,0:18:37.55,0:18:43.18,Default,,0000,0000,0000,,was sent to the Microsoft and the same\Nthing with the local files as well. Like I
Dialogue: 0,0:18:43.18,0:18:48.33,Default,,0000,0000,0000,,thought, okay, now it's working for the\Ndomain. Now what if we tried with the same
Dialogue: 0,0:18:48.33,0:18:54.00,Default,,0000,0000,0000,,thing with the local files as well? So\Nyeah, in this case it was, it worked as
Dialogue: 0,0:18:54.00,0:18:59.38,Default,,0000,0000,0000,,well. So if you remember in the last in\Nthe past when we were able to load local
Dialogue: 0,0:18:59.38,0:19:03.91,Default,,0000,0000,0000,,files, but Microsoft says, OK, we are not\Ngoing to fix it because we don't support
Dialogue: 0,0:19:03.91,0:19:08.96,Default,,0000,0000,0000,,download API. And now we have a Javascript\Ncode execution on local files as well. So
Dialogue: 0,0:19:08.96,0:19:14.34,Default,,0000,0000,0000,,we can chain both of these bugs to steal\Nthe local files as well. So here's a
Dialogue: 0,0:19:14.34,0:19:20.82,Default,,0000,0000,0000,,simple proof of concept. So at first what\Nwe are doing is browser.tabs.update that
Dialogue: 0,0:19:20.82,0:19:26.62,Default,,0000,0000,0000,,points to a file URI. And again,\Nbrowser.tabs.update that points to a
Dialogue: 0,0:19:26.62,0:19:34.98,Default,,0000,0000,0000,,javascript URI. So Microsoft was like, OK.\NNow we have to fix. But what is next? So
Dialogue: 0,0:19:34.98,0:19:43.31,Default,,0000,0000,0000,,so far we have Javascript code execution\Non local files. We also have host access
Dialogue: 0,0:19:43.31,0:19:49.58,Default,,0000,0000,0000,,permission bypass. Now what is next? So\Nthe next thing that came to my mind is
Dialogue: 0,0:19:49.58,0:19:55.06,Default,,0000,0000,0000,,always the privilege pages, as I already\Nexplained the sensitivity of the
Dialogue: 0,0:19:55.06,0:20:00.82,Default,,0000,0000,0000,,privileged pages. So the next moment I was\Nso excited that this will work on the
Dialogue: 0,0:20:00.82,0:20:06.53,Default,,0000,0000,0000,,privileged pages as well. So again, I\Nwrote this five line of code and tried to
Dialogue: 0,0:20:06.53,0:20:12.12,Default,,0000,0000,0000,,execute in reference to about:flags. And\Nsurprisingly, it was not, it wasn't
Dialogue: 0,0:20:12.12,0:20:17.34,Default,,0000,0000,0000,,working for me. And I was so surprised,\Nlike why this is not working and like
Dialogue: 0,0:20:17.34,0:20:22.90,Default,,0000,0000,0000,,shaking my head, like, what is wrong? So\Nthe next moment I was trying to figure out
Dialogue: 0,0:20:22.90,0:20:27.65,Default,,0000,0000,0000,,what is wrong with this implementation,\Nlike why it is not working. Maybe there
Dialogue: 0,0:20:27.65,0:20:31.81,Default,,0000,0000,0000,,are some errors in the console. So I try\Nto open the developer console to figure
Dialogue: 0,0:20:31.81,0:20:37.04,Default,,0000,0000,0000,,out the possible errors. But you can see\Nthere is no such errors at all. So the
Dialogue: 0,0:20:37.04,0:20:43.30,Default,,0000,0000,0000,,reason for that is most of the pages like\Nthe sensitive pages in the browsers like
Dialogue: 0,0:20:43.30,0:20:47.78,Default,,0000,0000,0000,,Chrome, Firefox and even in Edge are\Nprotected by the CSP to make sure there
Dialogue: 0,0:20:47.78,0:20:51.69,Default,,0000,0000,0000,,shouldn't be any JavaScript code\Nexecution. But we cannot see any CSP
Dialogue: 0,0:20:51.69,0:20:57.11,Default,,0000,0000,0000,,errors here as well, which was pretty\Nstrange for me. So then again, I asked to
Dialogue: 0,0:20:57.11,0:21:03.20,Default,,0000,0000,0000,,myself, like, why this black magic is not\Nworking on privileged pages. Even when we
Dialogue: 0,0:21:03.20,0:21:09.96,Default,,0000,0000,0000,,don't have the CSP error, maybe this time\NEdge is playing smart. Do we have any
Dialogue: 0,0:21:09.96,0:21:17.91,Default,,0000,0000,0000,,other way to load about:flags in Edge?\NThen the next idea that came to my mind is
Dialogue: 0,0:21:17.91,0:21:24.22,Default,,0000,0000,0000,,to use the res protocol. So res protocol\Nis something that is used to fetch some
Dialogue: 0,0:21:24.22,0:21:31.06,Default,,0000,0000,0000,,sort of resources from a module. So\Ninstead of about:flags, we can call
Dialogue: 0,0:21:31.06,0:21:43.90,Default,,0000,0000,0000,,res://edgehtml.dll/flag.htm and the next\Nmoment it worked. So...
Dialogue: 0,0:21:43.90,0:21:48.92,Default,,0000,0000,0000,,*applause*
Dialogue: 0,0:21:48.92,0:21:53.85,Default,,0000,0000,0000,,Mittal: So this way we have now Javascript\Ncode execution on privileged pages as
Dialogue: 0,0:21:53.85,0:21:58.90,Default,,0000,0000,0000,,well, which is pretty bad. So once you\Nhave Javascript code execution on
Dialogue: 0,0:21:58.90,0:22:05.22,Default,,0000,0000,0000,,privileged pages, you can enable and\Ndisable Adobe Flash Player and there are
Dialogue: 0,0:22:05.22,0:22:10.97,Default,,0000,0000,0000,,other methods, other possible options\Nwhich we have already discussed, can also
Dialogue: 0,0:22:10.97,0:22:15.56,Default,,0000,0000,0000,,be possible with the same type, with the\Nsame thing. So again, what we need to do
Dialogue: 0,0:22:15.56,0:22:22.33,Default,,0000,0000,0000,,is to call browser.tabs.update that points\Nto edgehtml.dll/flags.htm. And again, a
Dialogue: 0,0:22:22.33,0:22:30.16,Default,,0000,0000,0000,,file, again some sort of javascript URI to\Nfetch, get element by ID and then click on
Dialogue: 0,0:22:30.16,0:22:37.25,Default,,0000,0000,0000,,it. So it will toggle the Adobe Flash\NPlayer setting on the Edge. Again, what is
Dialogue: 0,0:22:37.25,0:22:44.13,Default,,0000,0000,0000,,next? So this was pretty enough for me.\NBut again, like I was trying to figure out
Dialogue: 0,0:22:44.13,0:22:50.50,Default,,0000,0000,0000,,if we can do something else as well. And\Nthen I start with the reading mode. So a
Dialogue: 0,0:22:50.50,0:22:56.65,Default,,0000,0000,0000,,reading more is a feature implemented in\NEdge, which renders a page in a way that
Dialogue: 0,0:22:56.65,0:23:01.57,Default,,0000,0000,0000,,is like kind of pretty easy to read. So in\Nthis process, Edge makes sure that there
Dialogue: 0,0:23:01.57,0:23:07.38,Default,,0000,0000,0000,,shouldn't be any Javascript code execution\Non the page. The main purpose for reading
Dialogue: 0,0:23:07.38,0:23:12.90,Default,,0000,0000,0000,,mode is that to provide the users, to\Nprovide a simplified page to the users. So
Dialogue: 0,0:23:12.90,0:23:16.86,Default,,0000,0000,0000,,basically there should not be any\Nadvertisement or something like that. So
Dialogue: 0,0:23:16.86,0:23:20.58,Default,,0000,0000,0000,,for that reason, browser vendors, they\Nmake sure there shouldn't be any
Dialogue: 0,0:23:20.58,0:23:26.15,Default,,0000,0000,0000,,Javascript code execution on reading mode.\NAnd there was one bug with the reading
Dialogue: 0,0:23:26.15,0:23:32.99,Default,,0000,0000,0000,,mode as well, like you cannot put any\Ndocument in the reader mode until unless
Dialogue: 0,0:23:32.99,0:23:40.20,Default,,0000,0000,0000,,browser identified its compatibility. But\Nyou can append the read: protocol in the
Dialogue: 0,0:23:40.20,0:23:46.44,Default,,0000,0000,0000,,in the first and then the URL that points\Nto some sort of domain and then Edge will
Dialogue: 0,0:23:46.44,0:23:51.69,Default,,0000,0000,0000,,load the particular resources in the\Nreading mode as well. So fortunately, I
Dialogue: 0,0:23:51.69,0:23:57.47,Default,,0000,0000,0000,,tried the same attack on the reading mode\Nas well. But since the reading more was
Dialogue: 0,0:23:57.47,0:24:03.05,Default,,0000,0000,0000,,protected with their certain CSP and then,\Nso you can see the CSP error. It says we
Dialogue: 0,0:24:03.05,0:24:09.20,Default,,0000,0000,0000,,do not allow inline script and it really\Nblocked by the Edge. So reading mode was
Dialogue: 0,0:24:09.20,0:24:15.75,Default,,0000,0000,0000,,kind of safe, at least for the test cases,\Nbut in some certain test cases it worked
Dialogue: 0,0:24:15.75,0:24:22.13,Default,,0000,0000,0000,,for me, but I was not able to I was not\Nable to reproduce it further. So that's
Dialogue: 0,0:24:22.13,0:24:27.61,Default,,0000,0000,0000,,why I marked it as safe. The other\Npossible features we can have is the
Dialogue: 0,0:24:27.61,0:24:32.39,Default,,0000,0000,0000,,Javascript code execution on other\Nextension pages. Like again, you can
Dialogue: 0,0:24:32.39,0:24:37.80,Default,,0000,0000,0000,,imagine a situation: We have... You can\Nimagine a situation when one extension is
Dialogue: 0,0:24:37.80,0:24:42.98,Default,,0000,0000,0000,,able to disable another extension in\Nbrowser, like how bad it will be. So
Dialogue: 0,0:24:42.98,0:24:48.64,Default,,0000,0000,0000,,again, now we are on a internal page that\Nbelongs to Adblock Plus. And if we tried
Dialogue: 0,0:24:48.64,0:24:56.15,Default,,0000,0000,0000,,to run our extension on this page, then\Nagain, we have a CSP violation issues. So
Dialogue: 0,0:24:56.15,0:25:03.47,Default,,0000,0000,0000,,that was safe. The next thing was some CSP\Nprivilege issues because the host
Dialogue: 0,0:25:03.47,0:25:09.59,Default,,0000,0000,0000,,permission will not work if there is any\NCSP error. So next, I tried to figure out
Dialogue: 0,0:25:09.59,0:25:16.42,Default,,0000,0000,0000,,if we can use the execute script API to\Nfigure out how to deal with the CSP. So
Dialogue: 0,0:25:16.42,0:25:23.75,Default,,0000,0000,0000,,let's assume we have a page where the CSP\Nis implemented properly and we have a host
Dialogue: 0,0:25:23.75,0:25:30.04,Default,,0000,0000,0000,,permission for the same. So you can see\Nthe code where we are saying the content
Dialogue: 0,0:25:30.04,0:25:35.76,Default,,0000,0000,0000,,security policy, which is set to default-\Nsrc self. And we are using
Dialogue: 0,0:25:35.76,0:25:42.04,Default,,0000,0000,0000,,browser.tabs.executeScript which this code\Nand then where we have to pass the
Dialogue: 0,0:25:42.04,0:25:47.64,Default,,0000,0000,0000,,JavaScript code, which is a simple\Nalert(document.domain). So the way
Dialogue: 0,0:25:47.64,0:25:56.83,Default,,0000,0000,0000,,extensions deal with the CSP is that most\Nof the browsers, they will allow
Dialogue: 0,0:25:56.83,0:26:03.24,Default,,0000,0000,0000,,Javascript from any extensions until\Nunless they will try to change the DOM
Dialogue: 0,0:26:03.24,0:26:09.64,Default,,0000,0000,0000,,tree of particular documents. So let's\Nsuppose we have the first example right
Dialogue: 0,0:26:09.64,0:26:15.94,Default,,0000,0000,0000,,here. In this case, so as I said, let's\Nassume we are on a page which has a
Dialogue: 0,0:26:15.94,0:26:22.30,Default,,0000,0000,0000,,perfect CSP in place like this. And we\Ntried to change the DOM for that
Dialogue: 0,0:26:22.30,0:26:29.56,Default,,0000,0000,0000,,particular page. So the possible base we\Nhave is either we can use document.write
Dialogue: 0,0:26:29.56,0:26:35.80,Default,,0000,0000,0000,,or we can use document.body.innerHTML and\Nthen insert the Javascript code. And then
Dialogue: 0,0:26:35.80,0:26:41.50,Default,,0000,0000,0000,,the other possible way we have is to\Ngenerate a random element and then write
Dialogue: 0,0:26:41.50,0:26:48.37,Default,,0000,0000,0000,,inside it. So all these ways to manipulate\Nthe particular DOM tree on a CSP protected
Dialogue: 0,0:26:48.37,0:26:54.72,Default,,0000,0000,0000,,page was not allowed by most of the\Nbrowsers like Firefox and Chrome, but it
Dialogue: 0,0:26:54.72,0:27:00.93,Default,,0000,0000,0000,,was not protected in case of Edge like the\NexecuteScript API as straightforward as
Dialogue: 0,0:27:00.93,0:27:05.87,Default,,0000,0000,0000,,execute any of the Javascript code on any\Ndomain, whether you try to change on,
Dialogue: 0,0:27:05.87,0:27:12.32,Default,,0000,0000,0000,,whether you tried to change the DOM on a\NCSP protected page or not. Like it doesn't
Dialogue: 0,0:27:12.32,0:27:19.29,Default,,0000,0000,0000,,matter for it. So to conclude with this\Npresentation is that Edge extensions are
Dialogue: 0,0:27:19.29,0:27:26.27,Default,,0000,0000,0000,,still in development. Most of the APIs are\Nnot supported till the time because and
Dialogue: 0,0:27:26.27,0:27:32.10,Default,,0000,0000,0000,,the Edge that it has moved to the new\NChromium based browser as well. So I'm not
Dialogue: 0,0:27:32.10,0:27:37.25,Default,,0000,0000,0000,,sure whether there is started developing\Nextensions API or not, but the ActiveTab
Dialogue: 0,0:27:37.25,0:27:43.46,Default,,0000,0000,0000,,is one of the interested permission to\Nwork on because it allows you to execute
Dialogue: 0,0:27:43.46,0:27:49.88,Default,,0000,0000,0000,,Javascript code on the current domain. So\Nif you are able to perform the same sort
Dialogue: 0,0:27:49.88,0:27:55.33,Default,,0000,0000,0000,,of the same attack of the tabs API as\Nwell. So pretty much you can have all what
Dialogue: 0,0:27:55.33,0:28:00.86,Default,,0000,0000,0000,,I presented here as well. So Microsoft,\Nthey finally decided to fix this bug in
Dialogue: 0,0:28:00.86,0:28:08.68,Default,,0000,0000,0000,,March 19 update with the highest possible\Nbounty they have with the CVE-2019-0678.
Dialogue: 0,0:28:08.68,0:28:14.89,Default,,0000,0000,0000,,Now, that's it.
Dialogue: 0,0:28:14.89,0:28:21.35,Default,,0000,0000,0000,,Herald: So thank you, Nikhil for an\Ninteresting talk. If you have questions
Dialogue: 0,0:28:21.35,0:28:24.94,Default,,0000,0000,0000,,about the talk, we have three microphones,\None, two and three in each one of the
Dialogue: 0,0:28:24.94,0:28:28.76,Default,,0000,0000,0000,,aisles. If you have a question, please\Ncome to the microphone. We'll start from
Dialogue: 0,0:28:28.76,0:28:33.47,Default,,0000,0000,0000,,microphone number three.\NQuestion: Hi. And thank you for the
Dialogue: 0,0:28:33.47,0:28:42.29,Default,,0000,0000,0000,,interesting talk. I have one question. Is\Nthis back or is this API also relevant for
Dialogue: 0,0:28:42.29,0:28:47.28,Default,,0000,0000,0000,,the new, for the new Edge coming in\NJanuary based on Chromium engine?
Dialogue: 0,0:28:47.28,0:28:55.25,Default,,0000,0000,0000,,Mittal: No, I guess. So the APIs are the\Nsame, but since the new Edge is running on
Dialogue: 0,0:28:55.25,0:29:04.22,Default,,0000,0000,0000,,Chrome so they will not support this API\Nbecause of they use some others calling
Dialogue: 0,0:29:04.22,0:29:08.81,Default,,0000,0000,0000,,conventions, I guess, I believe. Does that\Nanswer your question?
Dialogue: 0,0:29:08.81,0:29:12.11,Default,,0000,0000,0000,,Q: Yeah. But I have a second one.\NHerald: Yeah. Go for it.
Dialogue: 0,0:29:12.11,0:29:20.87,Default,,0000,0000,0000,,Q: Okay. And the second one is you tried\Nto open the pages via the res Protocol.
Dialogue: 0,0:29:20.87,0:29:28.85,Default,,0000,0000,0000,,But the functionality of those pages, is\Nit also handled by Edge while opening it
Dialogue: 0,0:29:28.85,0:29:32.60,Default,,0000,0000,0000,,through the res protocol, not about the\Nabout protocol?
Dialogue: 0,0:29:32.60,0:29:36.56,Default,,0000,0000,0000,,Mittal: Yes, I guess.\NQ: Okay. They were also working?
Dialogue: 0,0:29:36.56,0:29:38.84,Default,,0000,0000,0000,,Mittal: Yeah.\NQ: Okay. Thank you.
Dialogue: 0,0:29:38.84,0:29:45.05,Default,,0000,0000,0000,,Herald: Any more questions from the crowd\Nor from the internet? Okay. Then another
Dialogue: 0,0:29:45.05,0:29:46.66,Default,,0000,0000,0000,,round of applause for Nikhil for a great\Ntalk.
Dialogue: 0,0:29:46.66,0:30:13.66,Default,,0000,0000,0000,,*36c3 outro music*