In this blog post, I discovered vulnerabilities in the Chromium web browser that allowed a Chrome extension to run shell commands on a user’s PC, potentially leading to malware installation. Google rewarded me $20,000 for reporting these bugs. The Chrome sandbox isolates untrusted code, but certain pages, like chrome://downloads, can bypass the sandbox if exploited. Additionally, I found a way to modify user policies using the PolicyTestPage for testing policies, ultimately leading to a sandbox escape. By exploiting the Browser Switcher feature in enterprise policies, I was able to run arbitrary shell commands through the browser, showcasing the potential security risks.
https://ading.dev/blog/posts/chrome_sandbox_escape.html