Flaw in popular developer tool only addressed after researchers spill the beans

UPDATED Developers of the Vue.js JavaScript framework have addressed a nasty cross site scripting (XSS) vulnerability in the Chrome extension, but only acted after researchers went public in exposing the flaw.

Jiantao Li of Singapore-based security consultancy starlabs discovered the flaw before notifying developers of the tool, which has more than one million users among the software development community.

After more than two weeks of fruitlessly attempting to privately alert the developers by email, starlabs tried a different approach and posted about the issue on GitHub offering details alongside proof-of-concept code. The different approach yielded swift results and the problem was fixed within three hours.

In its advisory, starlabs explains the impact of the vulnerability and how attackers might have exploited it before it was resolved.

In devtools-background.js, there is a code injection in the toast function. It can be triggered by postMessage from any tab, which results in universal XSS upon opening the browser’s developer tools(F12).

An attacker can host a specially crafted web page to exploit this vulnerability, then convince a user to view the web page and open developer tools(F12) in other Chrome tabs.

Vue.js is a javascript framework for building web applications (specifically SPAs or Single Page Applications - a type of modern web app). The vulnerability is in one of the helper extensions that hook in to the browser dev tools (F12) to enhance the debugging for these pages.

In response to question from The Daily Swig, Li offered his simplified explanation of the cause and impact of the vulnerability.

“It’s basically a code injection vulnerability in a popular browser extension,” the researcher explained. “The cause is that untrusted data gets executed as code.

“The UXSS will allow an attacker to execute JavaScript from one domain to any other domain if successfully exploited.”

Developers of the Vue.js are yet to respond to a request for comment from The Daily Swig but we will update this story as and when more information comes to hand.


This story has been updated to include a clearer explanation of the vulnerable component


YOU MAY ALSO LIKE Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’