The Chrome extension ScratchPad had a wide range of permissions that made it vulnerable to a cross-site scripting attack, Matt Johansen, an application security specialist at WhiteHat Security, said July 14 in a preview of a presentation he will be making at Black Hat. Johansen used ScratchPad, a preinstalled extension that allows users to take notes and auto-sync the note files with Google Docs in the "ScratchPad" folder, in his preview. The extension had a "quote-unquote feature" that allowed users to share ScratchPad folders without requesting any user permissions, Johansen said. In his demonstration, a friend shared a folder containing a note with malicious code, which was then accessible on the CR-48 through the ScratchPad extension. Once the note was opened, the note was able to...
