Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions

A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.

A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.

The extension-related vulnerabilities, described by Google as “insufficient policy enforcement in extensions,” were discovered by researcher David Erceg in August. He identified three vulnerabilities of this type: CVE-2020-15961, a high-severity issue for which he received a $15,000 bug bounty; CVE-2020-15963, also a high-severity flaw, for which he earned $5,000; and CVE-2020-15966, which has been rated medium severity and for which the bug bounty has yet to be determined.

Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions — he has not named the impacted API due to the fact that Google hasn’t mentioned it either in its release notes.

Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.

“Two of the issues (the high severity issues) allow an extension to download and run an executable file. In both cases, no user interaction would be required after the extension install,” Erceg explained. “In a real world attack, those issues would allow an extension to run an executable outside of the browser’s sandbox shortly after install (using the first issue, it could plausibly be done within a few seconds).”

He noted that the second high-severity vulnerability (CVE-2020-15963) can only be exploited to run an executable outside of the sandbox if certain conditions are met. If these conditions are not met, the attacker could still perform certain actions, such as accessing privileged pages or reading local files. Alternatively, an attacker could chain this flaw with another weakness to execute code outside of the sandbox.

The medium-severity issue, the researcher says, can be exploited by a malicious extension to read the content of local files, which an extension is normally not allowed to do without the user’s explicit permission.

The Chrome 85 update that patches these vulnerabilities also addresses an out-of-bounds read issue in storage, for which an unnamed hacker earned $15,000, and an insufficient policy enforcement issue for which researchers Leecraso and Guang Gong of 360 Alpha Lab earned $10,000.

Leecraso and Guang Gong earlier this month received a $20,000 bug bounty from Google for reporting a high-severity vulnerability that can be exploited to escape the Chrome sandbox.

Related: Google Patches More High-Value Chrome Sandbox Escape Vulnerabilities

Related: GitHub Shares Details on Six Chrome Vulnerabilities

Related: Google Awards $10,000 for Remote Code Execution Vulnerability in Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.