CVE-2016-5162 in Chrome
Summary
by MITRE
The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5160.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/14/2022
The vulnerability described in CVE-2016-5162 resides within Google Chrome's extension architecture and specifically targets the AllowCrossRendererResourceLoad function located in extensions/browser/url_request_util.cc. This flaw affects Chrome versions prior to 53.0.2785.89 on Windows and OS X, and before 53.0.2785.92 on Linux, representing a significant security gap in the browser's extension security model. The vulnerability stems from improper handling of the manifest.json web_accessible_resources field, which is designed to control which resources extensions can make available to web pages. When this field is not properly enforced for IFRAME elements, it creates an exploitable condition that undermines the security boundaries established by Chrome's extension system.
The technical flaw manifests when Chrome extensions attempt to load resources across renderer processes, particularly through IFRAME elements that should be restricted based on the extension's manifest configuration. The web_accessible_resources field in manifest.json is intended to define which resources within an extension can be accessed by web pages, but the implementation fails to properly validate these restrictions when IFRAME elements are involved. This oversight allows malicious websites to exploit the extension's resource access capabilities, effectively bypassing the intended security restrictions that should prevent unauthorized cross-origin resource loading. The vulnerability operates at the intersection of browser security boundaries, where extension isolation should prevent web pages from accessing extension resources directly.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating conditions that enable sophisticated clickjacking attacks and user deception techniques. Attackers can craft malicious websites that leverage the improperly enforced resource restrictions to manipulate extension settings without user consent, potentially leading to unauthorized modifications of extension behavior or configuration changes. This creates a vector for social engineering attacks where users might be tricked into believing they are interacting with legitimate extension functionality while actually executing malicious code or altering extension parameters. The vulnerability particularly affects users who have extensions installed that provide sensitive functionality, as the attack surface expands to include these extensions' resource access capabilities.
This vulnerability aligns with CWE-284, which addresses improper access control in software systems, and represents a specific instance of inadequate privilege management in browser extension contexts. The flaw also corresponds to ATT&CK technique T1176, which involves the use of web shell or malicious web content to gain unauthorized access to system resources. The security implications extend to user privacy and system integrity, as malicious actors can exploit this condition to modify extension settings and potentially access sensitive user data. Organizations and users should consider this vulnerability as part of broader browser security hygiene practices, particularly in environments where extension-based functionality is prevalent. The fix implemented in Chrome versions 53.0.2785.89 and later addresses the core issue by properly enforcing manifest.json web_accessible_resources restrictions for IFRAME elements, thereby restoring the intended security boundaries between extension resources and web content.