Steipete Summarize Chrome Extension Hover Summary Vulnerability Allowing Unauthorized Daemon Requests

A vulnerability exists in the Steipete Summarize Chrome extension, specifically in versions prior to 0.15.1. The issue arises within the hover summary feature, where malicious pages can send synthetic mouseover events over links controlled by the attacker. This manipulation causes the extension to make authenticated requests to a daemon using stored tokens, without properly verifying the trustworthiness of the events. As a result, attackers could route these requests through the daemon to access sensitive internal endpoints, potentially exposing confidential information, especially if the targeted URLs are local or within a private network.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive internal endpoints via server-side request forgery, using authenticated tokens to route requests through the user's daemon.

Reproduction

To reproduce this vulnerability, a malicious webpage must be created that can dispatch synthetic mouseover events. This can be done by placing local or private-network URLs behind hoverable links. When a user interacts with these links, the extension will inadvertently make authenticated requests to the daemon, using stored tokens, and potentially access sensitive internal endpoints.

Remediation

Users can update to Steipete Summarize version 0.15.2 or later, where this vulnerability has been addressed.