(ading.dev)

406 points vk6 | 1 comments | 17 Oct 24 05:55 UTC | HN request time: 0.001s | source

Show context

Etheryte ◴[17 Oct 24 07:57 UTC] No.41867389[source]▶

Given the severity, I can't help but feel that this is underpaid at the scale Google is at. Chrome is so ubiquitous and vulnerabilities like these could hit hard. Last thing they need to do is to send the signal that it's better to sell these on the black market.

replies(9): >>41867499 #>>41867548 #>>41867653 #>>41867666 #>>41867873 #>>41868146 #>>41868628 #>>41868995 #>>41869073 #

londons_explore ◴[17 Oct 24 09:31 UTC] No.41867873[source]▶

>>41867389 #

"what percentage of grandmas would lose their life savings if they stumble across this bug" is the metric I use to determine severity.

And in this case, it requires a chain of unlikely events. The user tricked into installing an extension (probably not one from the store, which is now particularly hard on windows). The user tricked into opening devtools.

It's gonna be sub-1%. Certainly still worth fixing, but nowhere near as bad as a universal XSS bug.

replies(1): >>41869146 #

gardenmud ◴[17 Oct 24 12:45 UTC] No.41869146[source]▶

>>41867873 #

Not only that, but it doesn't work on Google Chrome releases, only the (upstream) Chromium, and Google Chrome canary. Very few people use raw Chromium all by its lonesome and I would guess only for testing/development, not downloading random extensions.

replies(1): >>41870606 #

1. TRiG_Ireland ◴[17 Oct 24 15:32 UTC] No.41870606{3}[source]▶

>>41869146 #

I use Chromium, because I'm on Ubuntu. (Admittedly, I don't use it very often. I tend to be loyal to Firefox most of the time.)

↑

Escaping the Chrome Sandbox Through DevTools