[HTTPS-Everywhere] Vulnerability in HTTPS Everywhere Chrome <= 2016.3.23
William Budington
bill at eff.org
Fri Apr 8 15:48:05 PDT 2016
I can confirm this does not affect HTTPS Everywhere for Android or Firefox. HTTPS Everywhere for Opera is essentially the same addon as for Chrome, so I have't tested Opera but if it was affected it has been fixed now.
Hope this helps!
Bill Budington
Software Engineer
Electronic Frontier Foundation
https://www.eff.org/
On Sat, 09 Apr 2016 00:09:11 +0200, sjw at gmx.ch wrote:
> Hi
>
> Can you confirm, that other platforms (Firefox, Android, Opera) are not
> affected?
> You may forward this to the oss-security list and request a CVE.
>
> Regards,
> Jonas
>
> Am 08.04.2016 um 23:50 schrieb William Budington:
> > HTTPS Everywhere Chrome users: be advised that a security vulnerability has been found of moderate severity with versions <= 2016.3.23 of the extension. This has been fixed as of the latest version, 2016.4.4, released earlier this week and available via the Chrome Web Store.[1]
> >
> > The vulnerability, discovered by Dylan Katz[2], allows any remote website to cause the Chrome browser to hang indefinitely by triggering a redirect in HTTPS Everywhere with a specially-crafted URL. We thank Dylan for reporting this to us and allowing us to fix it in a timely manner.
> >
> > This was disclosed as a part of EFF's Security Vulnerability Disclosure Program[3], launched in December of last year.
> >
> > 1. https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp
> > 2. https://www.eff.org/security/hall-of-fame
> > 3. https://www.eff.org/security
> >
> >
> > _______________________________________________
> > HTTPS-Everywhere mailing list
> > HTTPS-Everywhere at lists.eff.org
> > https://lists.eff.org/mailman/listinfo/https-everywhere
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160408/1121a259/attachment.sig>
More information about the HTTPS-Everywhere
mailing list