https://github.com/ading2210/echoanywhere

A Chrome OS exploit demonstrating the (limited) use of chrome.echoPrivate on any webpage.
https://github.com/ading2210/echoanywhere

Last synced: 5 months ago
JSON representation

A Chrome OS exploit demonstrating the (limited) use of chrome.echoPrivate on any webpage.

• Host: GitHub
• URL: https://github.com/ading2210/echoanywhere
• Owner: ading2210
• License: gpl-3.0
• Created: 2023-05-07T06:05:08.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-05-07T06:08:02.000Z (over 2 years ago)
• Last Synced: 2025-06-09T23:35:29.577Z (7 months ago)
• Language: HTML
• Homepage: https://ading.dev/blog/posts/echoanywhere.html
• Size: 14.6 KB
• Stars: 2
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# EchoAnywhere

This is a POC demonstrating the (limited) use of `chrome.echoPrivate` on any webpage.

## Explanation:

This page exploits the Chrome Goodies component extension, which is used to check device eligibility on the Chromebook Perks page. That page works by putting an extension page inside an iframe (`chrome-extension://kddnkjkcjddckihglkfcickdhbmaodcn/broker.html`) and posting messages to it to allow communication with the extension.

For whatever reason, this is also allowed by the extension on any webpage. Thus, any webpage is able to pretend to be the Perks page and post messages to the iframe in order to redeem codes and get the existing offers.

The webpage can then simply call `iframe.contentWindow.postMessage` on the iframe, which proxies either `chrome.echoPrivate.getUserConsent` or `chrome.echoPrivate.getOfferInfo`. This allows the webpage to leak any existing promo codes, even without user consent. It could also potentially trick the user into redeeming other codes, since the title of the redemption prompt can be arbitrarily changed.

## License:

This repository is licensed under the GNU GPL v3.