Update (): Linked to respective Chromium issues. So most extension developers are bound to get it wrong on the first try. The extension platform introduced by Google Chrome simply doesn’t provide secure and convenient alternatives. This isn’t merely extension developers being clueless. These vulnerabilities are very typical, I’ve seen similar mistakes in other extensions many times. Update (): An extension version with the fix is now available for both Firefox and Edge.
Two releases have been skipped for Mozilla Firefox and Microsoft Edge for some reason, so that the latest version available here only fixes the first issue (insecure internal communication). At the time of writing, this version is only available for Google Chrome however. The second vulnerability gave a DuckDuckGo server way more privileges than intended: a Cross-site Scripting (XSS) vulnerability in the extension allowed this server to execute arbitrary JavaScript code on any domain.īoth issues are resolved in DuckDuckGo Privacy Essentials 2021.2.3 and above. First of all, the extension used insecure communication channels for some internal communication, which, quite ironically, caused some data leakage across domain boundaries. I found some of the typical issues (mostly resolved since) but also two actual security vulnerabilities.
A few months ago I looked into the inner workings of DuckDuckGo Privacy Essentials, a popular browser extension meant to protect the privacy of its users.
0 kommentar(er)
