Connect with us
ANE Scholarship
Categories:
X

Technology

Chromium site isolation bypass enables a variety of browser assaults

Published

on

Chromium site isolation bypass enables a variety of browser assaults
Share this post:

Flaw that opened the door to cookie modification and data theft resolved.

A bug in the Chromium project allowed attackers to bypass site isolation protection through iFrames and popup windows to carry out a host of malicious activities.

The security weakness opens the door to a number of exploits including stealing private information, reading and modifying cookies, and gaining access to microphone and camera feeds.

The vulnerability – which was recently patched – was caused by a code change made to a previous version of the browser.

Site isolation bypass

Site isolation is a security feature that puts every origin’s renderer in a different process to prevent different websites in a browser from accessing each other’s data. The technology also allows the browser to assign each renderer a specific origin, which it calls “process locks.”

Process locks are checked before allowing sensitive actions requested by the origin. If a renderer pretends to be another origin, the browser will notice the process lock does not match and block access.

“Both techniques combined prevent memory-compromised renderers or logic bugs such as my bug from being able to read, modify, or perform sensitive actions related to another origin,” Alesandro Ortiz, the security researcher who discovered the bug, told Daily Swig.

“There are other checks that are also used to enforce site isolation, but they’re less robust than process locks. This bug bypasses these less-robust checks.”

According to Ortiz’s findings, the vulnerability is triggered if an embedded iFrame opens a new window, such as a popup or a new tab, with a specially crafted URL that keeps the initial navigation entry for the new window. It can then access the data of the top window.

“The initial navigation entry is supposed to inherit the origin of the opener, but the bug causes the navigation entry to inherit the origin of the top-most page,” Ortiz said.

A broad range of attacks

“There are only a couple of ways to trigger the bug, but there is a broad range of ways to exploit it,” Ortiz explained. In essence, anything that has not been protected by process locks can be exploited through the vulnerability.

Ortiz details some of these exploits in his report.

For example, in e-commerce websites, chat applications, and social networks, an attacker would be able to read cookies, IndexedDB data, and CacheStorage data, any of which may contain sensitive data, including authentication info for account access. In cases where the website has been granted access to the device’s microphone or camera, the attacker will be able to silently record the victim’s conversations or visible activity.

A potential attacker will also be able to receive messages from the website using postMessage, WebSockets, BroadcastChannel, and SharedWorkers communication APIs, which may contain sensitive data, including authentication info.

iFrame sandboxing can mitigate the attack if “allow-scripts” and “allow-popups” are not present. In some cases, the attack requires “allow-same-origin” to be enabled.

“Unfortunately, ‘allow-scripts’ and ‘allow-same-origin’ are fairly common, and ‘allow-popups’ is also present in many cases,” Ortiz said.

This is not the first time that a site isolation bypass bug has been discovered. However, most of the recent site isolation bypasses affect a single feature or a small subset of features while the latest vulnerability is more wide ranging in its effects.

“This bug is unusual in that it spoofs several different values that are used by many important features to enforce site isolation, hence the much wider impact,” Ortiz said. “Typically spoofing only one of these values would trigger either process lock checks or other site isolation checks.”

Going down the rabbit hole

In 2020, Ortiz discovered CVE-2020-6506, a Universal Cross-Site Scripting (XSS) bug in Android WebView (part of Chrome). The proof of concept (PoC) for that bug involved calling window.open() with a javascript: URL.

The PoC used a JavaScript dialog as one way to demonstrate impact. That PoC and a tip from another researcher helped Ortiz find the new bug.

“On March 30th, 2022, a researcher sent me a Twitter DM about potentially unexpected behavior when trying CVE-2020-6506’s PoC in Chrome,” Ortiz said. “The initial details were vague and I often get outreach from researchers confused about expected vs observed behavior regarding this CVE, but I try to chase down every reasonable lead.”

After some exploration, Ortiz realized the JavaScript dialog was showing the incorrect origin, a telltale sign of a potential security lapse.

“At this point I realized there was likely an interesting security issue here, so I kept investigating,” Ortiz said.

Ortiz submitted the initial Chromium security report knowing only the JavaScript dialog impact since that in itself was already a vulnerability.

“I kept investigating and quickly identified there were further impacts. The full investigation took a while, but I realized this was a wider-impact bug within a couple of hours of submitting the initial report,” he said.

The full bug report is an interesting study of going back and forth between researcher and vendor, all the while finding new exploits along the way.

Bad coding

According to Ortiz’s findings and the discussion thread on Chromium’s bug tracker, a misunderstanding of the logic behind the functions for opening new windows in the browser introduced the site isolation bypass in one of the commits in Chromium version 98. This bug was in Chrome Canary for about four months and in the Stable release for around two months before it was discovered.

“There are always interesting bugs even in secure software like major browsers,” Ortiz said. “Even the best of programmers accidentally make mistakes. I would have probably made the same mistake given the same circumstances as the commit author.”

“Different changes over time plus lack of context is usually a recipe for bugs, sometimes with security implications. I can’t speak on behalf of the Chromium team, but I personally don’t think there was a single point of failure here,” Ortiz concluded.

Ortiz was awarded $20,000 in bug bounty by the Google Vulnerability Reward Program (VRP) panel, of which he gave $4,000 to a collaborating researcher.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Erik Ten Hag Manchester United vs Brighton
Sports43 mins ago

Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1

Ronaldo
Sports2 hours ago

Man Utd must let Ronaldo leave – Wayne Rooney

Scholarship Graduate
Education2 hours ago

Australia Scholarship: Apply for Griffith University degree scholarship, 2022

Godwin Obaseki
Education2 hours ago

Edo Govt To Recruit 1000 New Teachers, Train 650 Others

Airport
News2 hours ago

Ebonyi Govt Laments Destruction Of Airport Fence

Isco
Sports2 hours ago

Transfer: Real Madrid star, Isco to Sevilla as free agent

Neto
Sports3 hours ago

Transfer: Neto joins Bournemouth from Barcelona

Kano loses one pilgrim in Saudi Arabia
News5 hours ago

Kano loses one pilgrim in Saudi Arabia

Tobi Amusan wins a gold medal at the Commonwealth Games and breaks a record
Sports5 hours ago

Tobi Amusan wins a gold medal at the Commonwealth Games and breaks a record

News5 hours ago

Deposed Emir Sanusi: “I’ll keep speaking out to rebuild Nigeria.”

Religious organizations disagree on how to pay for the Jos Main Market project
News5 hours ago

Religious organizations disagree on how to pay for the Jos Main Market project

Jenkins security: The most recent plugin advisory contains flaws with unpatched XSS and CSRF
Technology5 hours ago

Jenkins security: The most recent plugin advisory contains flaws with unpatched XSS and CSRF

ParseThru: Multiple Go apps have been found to have an HTTP parameter smuggling issue
Technology6 hours ago

ParseThru: Multiple Go apps have been found to have an HTTP parameter smuggling issue

Director of Batgirl reveals After the movie was canceled, Marvel CEO Kevin Feige contacted him
Entertainment6 hours ago

Director of Batgirl reveals After the movie was canceled, Marvel CEO Kevin Feige contacted him

Our pop queen dreams have come true with the epic Break My Soul and Vogue remix by Beyonce and Madonna
Entertainment6 hours ago

Our pop queen dreams have come true with the epic Break My Soul and Vogue remix by Beyonce and Madonna

Buhari
News6 hours ago

Buhari condemns killings of Nigeriens and police officials in South East

News6 hours ago

In Ekiti, gunmen abduct a 4-year-old boy while the father runs

News7 hours ago

NDA changes the curriculum to better train cadets for asymmetrical warfare

In Everton's tight loss to Chelsea, Alex Iwobi shines for the team
Sports7 hours ago

In Everton’s tight loss to Chelsea, Alex Iwobi shines for the team

Following a 4-1 loss to Tottenham, Aribo's manager scolds his team as "not good enough."
Sports7 hours ago

Following a 4-1 loss to Tottenham, Aribo’s manager lashes out “not good enough.”

Mohammed Usman, Kamaru Usman's younger brother crowned UFC TUF Champion [Images/Video]
Sports7 hours ago

Mohammed Usman, Kamaru Usman’s younger brother crowned UFC TUF Champion [Images/Video]

Beauty BBNaija
Entertainment7 hours ago

BBNaija S7: Beauty says, “He’s fingered me and sucked my breast,” as she drags Groovy

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
Entertainment7 hours ago

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show

Pep Guardiola
Sports8 hours ago

I’m not at Man City to win UEFA Champions League – Pep Guardiola

Festus Keyamo
News8 hours ago

Buhari Has Delivered, Security Only Exists In Heaven – Festus Keyamo

Dapo Abiodun
News8 hours ago

2023: Ogun State Is Nobody’s Inheritance – Dapo Abiodun

Your weekly tarot horoscope for July 24 to July 30 – and Jupiter going retrograde
Horoscope8 hours ago

Your weekly tarot horoscope for August 7 to August 13 and Venus’s move into Leo

Toolz - Tolu Oniru-Demuren
Entertainment8 hours ago

“Until A Man Is Financially Stable, He’s Not Truly Happy” – Toolz

Ishaq Oloyede
Education8 hours ago

Hard Decisions Needed To End ASUU Strike – JAMB boss

Dino Melaye
News8 hours ago

Bola Tinubu Sees Presidency As Retirement Benefits – Dino Melaye

Your daily horoscope for Monday, July 25, 2022
Horoscope8 hours ago

Your daily horoscope for Sunday, August 7, 2022

Vinicius Jr Wants Five or More UCL at Real Madrid
Sports9 hours ago

Vinicius Jr Wants Five or More UCL at Real Madrid

Diego Simeone
Sports9 hours ago

Why Juventus, Atletico Madrid Game Got Cancelled

Peruzzi
Entertainment9 hours ago

Peruzzi Bags 7-days Ultimatum To Refund ₦3 Million Over Breach of Contract

Thomas Tuchel
Sports9 hours ago

EPL: Thomas Tuchel revels Marcos Alonso’s decision

Messi and Neymar PSG vs Clermont Foot
Sports9 hours ago

Messi Scores Brace as PSG Effortlessly Thrashed Clermont Foot

Buhari
News9 hours ago

Buhari Vows To Track Down Killers Of Imo Police Officers

SADE'S HEART TALE
ANE Stories10 hours ago

[STORY] SADE’S HEART TALE (Episode 20)

Computer Video Game
Technology1 day ago

5 Reasons To Start Playing Computer Games

XSS in Gmail’s AMP For Email earns researcher $5,000
Technology1 day ago

XSS in Gmail’s AMP For Email earns researcher $5,000

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Complete Episodes)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Complete Episodes)

SADE'S HEART TALE
ANE Stories5 days ago

[STORY] SADE’S HEART TALE (Episode 19)

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 01)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 07)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 01)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 03)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 05)

Nwankwo Kanu, a Super Eagles icon, turns 46 [Photos]
Sports6 days ago

Nwankwo Kanu, a Super Eagles icon, turns 46 [Photos]

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 09)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 04)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)

Watch the latest "Passport" movie teaser with Mercy Johnson, Zubby Michael, and Jim Iyke
Entertainment6 days ago

Watch the latest “Passport” movie teaser with Mercy Johnson, Zubby Michael, and Jim Iyke

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 06)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 02)

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 05)

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 04)

A sizable piece of Elon Musk's space junk has fallen onto an Australian man's farm.
Technology6 days ago

A sizable piece of Elon Musk’s space junk has fallen onto an Australian man’s farm.

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 03)

Celebrity6 days ago

Hilda Dokubo comments on the ransom demanded for colleagues who have been kidnapped: “Some actors present the incorrect picture on social media.”

Google AdSense
How To6 days ago

How To Receive Google AdSense Payment To GTB, UBA, Access, FCMB, First Bank – SWIFT – BIC CODE

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 12)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories3 days ago

[STORY] THE WITCH’S DAUGHTER (Final Episode 09)

Monalisa Chida claims the abductor's phone may be used to find kidnapped Nollywood actors.
Celebrity5 days ago

Monalisa Chida claims the abductor’s phone may be used to find kidnapped Nollywood actors.

Sports5 days ago

The representatives of Victor Osimhen call a CRUNCH meeting to debate the future of Napoli.

Kcee Marzz incorporates highlife in his latest song, "In the air,"
Entertainment6 days ago

Kcee Marzz incorporates highlife in his latest song, “In the air,”

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 08)

Epic movie "Anikulapo" by Kunle Afolayan is scheduled to premiere in September
Entertainment5 days ago

Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September

Nancy Isime
Entertainment5 days ago

“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 02)

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 06)

Danielle's graduation is a cause for celebration for Jay-Jay Okocha.
Sports6 days ago

Danielle’s graduation is a cause for celebration for Jay-Jay Okocha.

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 10)

Nkem Owoh
Entertainment3 days ago

Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President

Money Over Love story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] MONEY OVER LOVE (Episode 17)

Daniel Bachmann has won the race to start over Super Eagles goalkeeper Maduka Okoye for Watford this season
Sports3 days ago

Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday

ANE's Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.