Due to an oversight during a change made to the extension in the commit d4e8e48 , a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list.
Impact
This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. We haven't seen any reports of this happening in the wild for the time being, will update the advisory if we find any known actors in the wild.
Patches
This security hole was patched in the commit 7e364b9 which was released along with the extension version 0.35.
Workarounds
You can use the Extensions Settings to disable the extension access to only the origins that you want.
Chrome/Chrome Based: https://arc.net/l/quote/arjkviwf
Firefox doesn't have an alternative to this as of writing this.
References
A PoC demo site submitted by the reporter: https://server.yadhu.in/poc/hoppscotch-poc.html
Credits
Thanks to @yadhukrishnam for responsible disclosure of this vulnerability 🤗
yadhukrishnam Reporter
Due to an oversight during a change made to the extension in the commit d4e8e48 , a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list.
Impact
This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. We haven't seen any reports of this happening in the wild for the time being, will update the advisory if we find any known actors in the wild.
Patches
This security hole was patched in the commit 7e364b9 which was released along with the extension version
0.35.Workarounds
You can use the Extensions Settings to disable the extension access to only the origins that you want.
Chrome/Chrome Based: https://arc.net/l/quote/arjkviwf
Firefox doesn't have an alternative to this as of writing this.
References
A PoC demo site submitted by the reporter: https://server.yadhu.in/poc/hoppscotch-poc.html
Credits
Thanks to @yadhukrishnam for responsible disclosure of this vulnerability 🤗