chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to racy access check
Original Post:
We discussed this vulnerability during Episode 245 on 26 February 2024
A rather simple Chrome permission bypass. Basically chrome.pageCapture.saveAsMHTML()
shouldn’t be able to save pages it doesn’t have the permissions to read like pages belonging to another extension or chrome pages. This check was vulnerable to a race condition and by repeatedly navigating from an allowed page to a disallowed page and back eventually it would end up capturing the disallowed page.