Flaw that opened the door to cookie modification and data theft resolved.
A bug in the Chromium project allowed attackers to bypass site isolation protection through iFrames and popup windows to carry out a host of malicious activities.
The security weakness opens the door to a number of exploits including stealing private information, reading and modifying cookies, and gaining access to microphone and camera feeds.
The vulnerability – which was recently patched – was caused by a code change made to a previous version of the browser.
Site isolation bypass
Site isolation is a security feature that puts every origin’s renderer in a different process to prevent different websites in a browser from accessing each other’s data. The technology also allows the browser to assign each renderer a specific origin, which it calls “process locks.”
Process locks are checked before allowing sensitive actions requested by the origin. If a renderer pretends to be another origin, the browser will notice the process lock does not match and block access.
“Both techniques combined prevent memory-compromised renderers or logic bugs such as my bug from being able to read, modify, or perform sensitive actions related to another origin,” Alesandro Ortiz, the security researcher who discovered the bug, told Daily Swig.
“There are other checks that are also used to enforce site isolation, but they’re less robust than process locks. This bug bypasses these less-robust checks.”
According to Ortiz’s findings, the vulnerability is triggered if an embedded iFrame opens a new window, such as a popup or a new tab, with a specially crafted URL that keeps the initial navigation entry for the new window. It can then access the data of the top window.
“The initial navigation entry is supposed to inherit the origin of the opener, but the bug causes the navigation entry to inherit the origin of the top-most page,” Ortiz said.
A broad range of attacks
“There are only a couple of ways to trigger the bug, but there is a broad range of ways to exploit it,” Ortiz explained. In essence, anything that has not been protected by process locks can be exploited through the vulnerability.
Ortiz details some of these exploits in his report.
For example, in e-commerce websites, chat applications, and social networks, an attacker would be able to read cookies, IndexedDB data, and CacheStorage data, any of which may contain sensitive data, including authentication info for account access. In cases where the website has been granted access to the device’s microphone or camera, the attacker will be able to silently record the victim’s conversations or visible activity.
A potential attacker will also be able to receive messages from the website using postMessage, WebSockets, BroadcastChannel, and SharedWorkers communication APIs, which may contain sensitive data, including authentication info.
iFrame sandboxing can mitigate the attack if “allow-scripts” and “allow-popups” are not present. In some cases, the attack requires “allow-same-origin” to be enabled.
“Unfortunately, ‘allow-scripts’ and ‘allow-same-origin’ are fairly common, and ‘allow-popups’ is also present in many cases,” Ortiz said.
This is not the first time that a site isolation bypass bug has been discovered. However, most of the recent site isolation bypasses affect a single feature or a small subset of features while the latest vulnerability is more wide ranging in its effects.
“This bug is unusual in that it spoofs several different values that are used by many important features to enforce site isolation, hence the much wider impact,” Ortiz said. “Typically spoofing only one of these values would trigger either process lock checks or other site isolation checks.”
Going down the rabbit hole
“On March 30th, 2022, a researcher sent me a Twitter DM about potentially unexpected behavior when trying CVE-2020-6506’s PoC in Chrome,” Ortiz said. “The initial details were vague and I often get outreach from researchers confused about expected vs observed behavior regarding this CVE, but I try to chase down every reasonable lead.”
“At this point I realized there was likely an interesting security issue here, so I kept investigating,” Ortiz said.
“I kept investigating and quickly identified there were further impacts. The full investigation took a while, but I realized this was a wider-impact bug within a couple of hours of submitting the initial report,” he said.
The full bug report is an interesting study of going back and forth between researcher and vendor, all the while finding new exploits along the way.
According to Ortiz’s findings and the discussion thread on Chromium’s bug tracker, a misunderstanding of the logic behind the functions for opening new windows in the browser introduced the site isolation bypass in one of the commits in Chromium version 98. This bug was in Chrome Canary for about four months and in the Stable release for around two months before it was discovered.
“There are always interesting bugs even in secure software like major browsers,” Ortiz said. “Even the best of programmers accidentally make mistakes. I would have probably made the same mistake given the same circumstances as the commit author.”
“Different changes over time plus lack of context is usually a recipe for bugs, sometimes with security implications. I can’t speak on behalf of the Chromium team, but I personally don’t think there was a single point of failure here,” Ortiz concluded.
Ortiz was awarded $20,000 in bug bounty by the Google Vulnerability Reward Program (VRP) panel, of which he gave $4,000 to a collaborating researcher.
Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1
Man Utd must let Ronaldo leave – Wayne Rooney
Australia Scholarship: Apply for Griffith University degree scholarship, 2022
Edo Govt To Recruit 1000 New Teachers, Train 650 Others
Ebonyi Govt Laments Destruction Of Airport Fence
Transfer: Real Madrid star, Isco to Sevilla as free agent
Transfer: Neto joins Bournemouth from Barcelona
Kano loses one pilgrim in Saudi Arabia
Tobi Amusan wins a gold medal at the Commonwealth Games and breaks a record
Deposed Emir Sanusi: “I’ll keep speaking out to rebuild Nigeria.”
Religious organizations disagree on how to pay for the Jos Main Market project
Jenkins security: The most recent plugin advisory contains flaws with unpatched XSS and CSRF
ParseThru: Multiple Go apps have been found to have an HTTP parameter smuggling issue
Director of Batgirl reveals After the movie was canceled, Marvel CEO Kevin Feige contacted him
Our pop queen dreams have come true with the epic Break My Soul and Vogue remix by Beyonce and Madonna
Buhari condemns killings of Nigeriens and police officials in South East
In Ekiti, gunmen abduct a 4-year-old boy while the father runs
NDA changes the curriculum to better train cadets for asymmetrical warfare
In Everton’s tight loss to Chelsea, Alex Iwobi shines for the team
Following a 4-1 loss to Tottenham, Aribo’s manager lashes out “not good enough.”
Mohammed Usman, Kamaru Usman’s younger brother crowned UFC TUF Champion [Images/Video]
BBNaija S7: Beauty says, “He’s fingered me and sucked my breast,” as she drags Groovy
BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
I’m not at Man City to win UEFA Champions League – Pep Guardiola
Buhari Has Delivered, Security Only Exists In Heaven – Festus Keyamo
2023: Ogun State Is Nobody’s Inheritance – Dapo Abiodun
Your weekly tarot horoscope for August 7 to August 13 and Venus’s move into Leo
“Until A Man Is Financially Stable, He’s Not Truly Happy” – Toolz
Hard Decisions Needed To End ASUU Strike – JAMB boss
Bola Tinubu Sees Presidency As Retirement Benefits – Dino Melaye
Your daily horoscope for Sunday, August 7, 2022
Vinicius Jr Wants Five or More UCL at Real Madrid
Why Juventus, Atletico Madrid Game Got Cancelled
Peruzzi Bags 7-days Ultimatum To Refund ₦3 Million Over Breach of Contract
EPL: Thomas Tuchel revels Marcos Alonso’s decision
Messi Scores Brace as PSG Effortlessly Thrashed Clermont Foot
Buhari Vows To Track Down Killers Of Imo Police Officers
[STORY] SADE’S HEART TALE (Episode 20)
5 Reasons To Start Playing Computer Games
XSS in Gmail’s AMP For Email earns researcher $5,000
[STORY] MONEY OVER LOVE (Complete Episodes)
[STORY] THE WITCH’S DAUGHTER (Complete Episodes)
[STORY] SADE’S HEART TALE (Episode 19)
[STORY] MONEY OVER LOVE (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 07)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)
[STORY] THE WITCH’S DAUGHTER (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 03)
[STORY] THE WITCH’S DAUGHTER (Episode 05)
Nwankwo Kanu, a Super Eagles icon, turns 46 [Photos]
[STORY] MONEY OVER LOVE (Episode 09)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 04)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)
Watch the latest “Passport” movie teaser with Mercy Johnson, Zubby Michael, and Jim Iyke
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 06)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)
[STORY] THE WITCH’S DAUGHTER (Episode 02)
[STORY] MONEY OVER LOVE (Episode 05)
[STORY] MONEY OVER LOVE (Episode 04)
A sizable piece of Elon Musk’s space junk has fallen onto an Australian man’s farm.
[STORY] MONEY OVER LOVE (Episode 03)
Hilda Dokubo comments on the ransom demanded for colleagues who have been kidnapped: “Some actors present the incorrect picture on social media.”
How To Receive Google AdSense Payment To GTB, UBA, Access, FCMB, First Bank – SWIFT – BIC CODE
[STORY] MONEY OVER LOVE (Episode 12)
[STORY] THE WITCH’S DAUGHTER (Final Episode 09)
Monalisa Chida claims the abductor’s phone may be used to find kidnapped Nollywood actors.
The representatives of Victor Osimhen call a CRUNCH meeting to debate the future of Napoli.
Kcee Marzz incorporates highlife in his latest song, “In the air,”
[STORY] MONEY OVER LOVE (Episode 08)
Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September
“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation
[STORY] MONEY OVER LOVE (Episode 02)
[STORY] MONEY OVER LOVE (Episode 06)
Danielle’s graduation is a cause for celebration for Jay-Jay Okocha.
[STORY] MONEY OVER LOVE (Episode 10)
Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President
[STORY] MONEY OVER LOVE (Episode 17)
Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday
ANE's Billboard Hots
Technology1 month ago
VoIP Number: Everything You Need To Know
Music6 years ago
[Music] Ed Sheeran – Perfect
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music1 month ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
ANE Stories1 month ago
The Story Of My Life (Complete Episode 1 – 47)
Movie Subtitle1 month ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music1 month ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me