SponsorBlock is a browser extension to skip YouTube sponsors using crowd sourced data.
Was forked from my extension despite what it says that was not in 2020.
Since its crowd sourced it has to trust its users but to prevent abuse VIPs can lock segments.
Because they wanted to insert the extension popup on to the YouTube page popup.html was added to web_accessible_resources,
The ability to use a iframe was unknown there was no embedding protection and it used a hacky sendRequestToCustomServer function to inject the content into the page dom.
This meant the persons user id was exposed to YouTube and the popup controls such as the ability to turn off sponsor skipping could be clickjacked.
let frame = document.createElement('iframe');
frame.src = 'chrome-extension://mnjggcdmjocbbbhaepdhchncahnbgone/popup.html';
document.body.appendChild(frame)
This was fixed by just using the iframe and checking the origin of the parent with postMessage for *.youtube.com
On Firefox this attack is harder because it uses a randomized id for the url this also prevents detecting the existence of extensions.
Fixed by adding a CSP. Post-Spectre Web Development
The servers nginx.conf had a proxy_pass for a 3rd party service.
That would allow impersonation of the sponsor.ajay.app domain.
Fixed by checking if a video was unlisted and then asking the user, later changed to a k-anonymity system.
The extension uses a random id to authenticate users that is then hashed when stored in the public database.
But it used the insecure Math.random() it now uses window.crypto.getRandomValues
Since the server was using caddy it was possible to spoof your IP address with the x-forwarded-for header.
While IPv4 addresses where hashed 5000 times its using sha256 with a static salt so it would be easy to compute all possible IP addresses.
This was fixed by moving the data to a private database.