Safe Browsing: Google Fixes Chrome Site Isolation Bypass Bug
Ben Dickson December 21, 2021 at 15:20 UTC
Updated: December 21, 2021 at 15:42 UTC
A vulnerability in Chrome’s service worker functionality created a flaw in the browser’s armor
A set of features intended to make webpages load faster in Chrome contained a bug that allowed attackers to bypass the browser’s site isolation feature, a security researcher has found.
Chrome uses the same origin policy to prevent websites from accessing other people’s data in the browser, but sometimes subtle security bugs like Specter open avenues to circumvent these policies.
Site Isolation is an additional line of defense that protects browsers against such threats. Introduced in Google Chrome in 2018 and replicated in last month’s Firefox release, site isolation means documents from different websites are rendered independently rather than in a shared process.
This makes it much harder for malicious websites to steal information from other websites. Even if a cross-domain website is integrated with another website via an iframe, site isolation will still load it in a separate process to protect its information.
Service worker contracts bug
However, Sergei Glazunov of Google’s Project Zero circumvented site isolation by exploiting a bug in Chrome’s service worker feature.
Learn about the latest browser security news
According to Glazunov’s report, the exploit starts when a malicious website uses “navigation prefetching”, a feature that loads a URL alongside service worker startup. In this case, the malicious code uses a URL loader with Cross-Origin Read Blocking (CORB) disabled. CORB is an algorithm that prevents cross-origin resource loads in web browsers before they reach the web page.
Once the CORB disabled URL loader is ready, it is passed to the service worker, where it loads the requested content and destroys itself.
The URL loader is supposed to prevent redirects, but since the service worker has access to the URL loader interface, it can modify its behavior to follow the redirect and read the full response even if it comes from a domain of cross origin.
Also, the site isolation feature will not prevent code from accessing out-of-bounds data.
In the proof-of-concept code, Glazunov demonstrates how an attacker can use the bug to request a Gmail URL and gain access to a user’s cookies and data.
The issue has been resolved in Chrome 96.
RELATED Severe Chrome bug allowed RCE on devices running remote headless interface