2-Click Remote Code Execution in Meccha Chameleon
A vulnerability was discovered in the Meccha Chameleon remote administration tool that allows an attacker to execute arbitrary code on a target system with just two clicks, posing a significant security risk to users of the software.
Background
- **Meccha Chameleon** is a Chrome extension, popular among users of the Japanese resale proxy service **Meccha Japan**, that automatically reprices items on auction sites like Yahoo! Auctions Japan.
- The article's author discovered a critical security flaw: simply clicking a specially crafted link (e.g., from a malicious ad or forum post) could let an attacker execute arbitrary code on the victim's browser with the extension's full permissions (a "2-click RCE" — remote code execution requiring only two clicks, no additional user consent).
- The root cause is the extension's use of an unsafe eval-like function (`chrome.tabs.executeScript`) on untrusted data from the auction site, combined with a weak permission model that gives the extension broad access to all websites.
- The vendor was notified but did not respond; the vulnerability remained unpatched as of publication. This case highlights ongoing risks in the "browser extension as middleman" model, where convenience features inherit the browser's full trust boundary.