Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

Today’s Guest: https://x.com/MtnBer

Resources

Universal Code Execution by Chaining Messages in Browser Extensions

https://spaceraccoon.dev/universal-code-execution-browser-extensions/

DOMLogger++

https://github.com/kevin-mizu/domloggerpp

BBRE Metamask bug

https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA

Bench Press: Leaking Text Nodes with CSS

https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/

Timestamps:

(00:00:00) Introduction

(00:03:08) Structure & Threat Model for Browser Extension

(00:28:28) Extension Attack scenarios

(01:01:26) Attacking Extension Pages

(01:26:35) Attacking Service Workers

(01:46:23) Getting source code and dynamic debugging