Steipete Summarize Missing Authorization Vulnerability in Chrome Extension Automation

A missing authorization vulnerability has been identified in the Steipete Summarize Chrome extension, affecting versions prior to 0.15.1. This vulnerability allows attackers to execute browser automation actions without user approval for each individual action, bypassing a crucial confirmation step. Exploitation is possible when the extension's automation feature is enabled, and attackers can manipulate the agent by injecting malicious content into pages or summaries. This manipulation can trigger automation tools like navigation or debugger-related actions, all without the user's consent.

Impact

Exploitation of this vulnerability allows for unauthorized execution of browser automation tasks, which could include navigating to malicious websites or manipulating the browser environment through debugging tools.

Reproduction

To reproduce this vulnerability, use a version of the Steipete Summarize Chrome extension prior to 0.15.1. Enable the extension's automation feature. Then, interact with a page or summary that contains injected malicious content. The extension will execute automation tasks, such as navigation or debugging actions, without requesting user approval for each individual task.

Remediation

Users can update to Steipete Summarize version 0.15.2 or later, where this vulnerability has been addressed.