●● IRC: #boycottnovell @ Techrights IRC Network: Wednesday, June 30, 2021 ●● ● Jun 30 [03:11] *DaemonFC has quit (Quit: Leaving) [03:17] *job (~job@bfjdrpzm6v77y.irc) has joined #boycottnovell ● Jun 30 [04:22] schestowitz
[04:22] schestowitzNormally, CSS injection vulnerabilities are fairly boring. With some luck, you can use them to assist a clickjacking attack. That is, unless the vulnerable party is a browser extension, and it lets you inject CSS code into high profile properties such as Googles. Ive now had some fun playing with this scenario, courtesy of G App Launcher browser extension.
[04:22] schestowitzThe vulnerability has been resolved in G App Launcher 23.6.1 on the same day as I reported it. Version 23.6.5 then added more changes to further reduce the attack surface. This was a top notch communication experience, many thanks to Carlos Jeurissen!