So the website can read it out trivially”. However, he noted that “in a content script context, sessionStorage is no longer extension’s storage, it’s the website’s. Palant discovered that the user identifier was executed in the extension’s content script. RECOMMENDED Data study reveals predictors of supply chain attacks in NPM repositoriesĪccording to the researcher, the flaw resided in the extension’s identity-tracking functionality, which could determine if a user was logged into a Microsoft account. Usernames and profile images can be freely retrieved by Skype name.” “The extension leaks your Skype name to any website interested. “The privacy flaw is simple,” Palant told The Daily Swig. Microsoft has fixed a privacy bug in its Skype extension for Chrome that left millions of users at risk of having their account information leaked.Īfter turning his attention to the Skype-for-Chrome extension, which has nine million installs, security researcher Wladimir Palant discovered a “trivial” bug that allowed websites to ascertain information about user accounts that should typically be off-limits. Microsoft addresses issue at eleventh hour, as researcher publicly discloses ‘trivial’ privacy bug in browser plugin
0 kommentar(er)
