[HTTPS-Everywhere] Vulnerability in HTTPS Everywhere Chrome <= 2016.3.23
William Budington
bill at eff.org
Fri Apr 8 14:50:03 PDT 2016
HTTPS Everywhere Chrome users: be advised that a security vulnerability has been found of moderate severity with versions <= 2016.3.23 of the extension. This has been fixed as of the latest version, 2016.4.4, released earlier this week and available via the Chrome Web Store.[1]
The vulnerability, discovered by Dylan Katz[2], allows any remote website to cause the Chrome browser to hang indefinitely by triggering a redirect in HTTPS Everywhere with a specially-crafted URL. We thank Dylan for reporting this to us and allowing us to fix it in a timely manner.
This was disclosed as a part of EFF's Security Vulnerability Disclosure Program[3], launched in December of last year.
1. https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp
2. https://www.eff.org/security/hall-of-fame
3. https://www.eff.org/security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160408/9cb329eb/attachment.sig>
More information about the HTTPS-Everywhere
mailing list