Flaw in popular developer tool only addressed after researchers spill the beans
Jiantao Li of Singapore-based security consultancy starlabs discovered the flaw before notifying developers of the tool, which has more than one million users among the software development community.
After more than two weeks of fruitlessly attempting to privately alert the developers by email, starlabs tried a different approach and posted about the issue on GitHub offering details alongside proof-of-concept code. The different approach yielded swift results and the problem was fixed within three hours.
In its advisory, starlabs explains the impact of the vulnerability and how attackers might have exploited it before it was resolved.
In devtools-background.js, there is a code injection in the toast function. It can be triggered by postMessage from any tab, which results in universal XSS upon opening the browser’s developer tools(F12).
An attacker can host a specially crafted web page to exploit this vulnerability, then convince a user to view the web page and open developer tools(F12) in other Chrome tabs.
In response to question from The Daily Swig, Li offered his simplified explanation of the cause and impact of the vulnerability.
“It’s basically a code injection vulnerability in a popular browser extension,” the researcher explained. “The cause is that untrusted data gets executed as code.
Developers of the Vue.js are yet to respond to a request for comment from The Daily Swig but we will update this story as and when more information comes to hand.
This story has been updated to include a clearer explanation of the vulnerable component