###################################### Gmail Checker plus Chrome extension XSS extension: https://chrome.google.com/extensions/detail/mihcahmgecmbnbcchbopgniflfhgnkff advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html Exploit available:yes ####################################### So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10) has a flaw that allow attackers to make XSS style attacks. All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc.. if we look how many users have instaled this extension => https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe 303,711 users have instaled it (WoW) ############ explanation ############ Google Mail Checker Plus allows users to view wen they have a new mail and view a preview of the mail .... if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too. Gmail is a safe place , but the extension to manage it can be a potential vector to attack it. For example send a email With a logout acction in gmail in subject "><iframe src="https://mail.google.com/mail/?logout&hl=es"<>/iframe> it closes the sesion on gmmail , this is a XSRF , and , in the case what you say aa it is executed in context and the location.href value is "about:blank" So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401 The developer has release a patch version in trunk => http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js please donload it and copy to your extension folder to solve it. See Diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0 ######################€nd################################# . Thnx for your time !!! atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....