Chromium bug allowed SameSite cookie bypass on Android devices

Ben Dickson 27 February 2023 at 11:50 UTC

Recent findings suggest vulnerabilities in cross-site request forgery protections.

A recently patched bug in the Chromium project poses a risk for malicious actors, enabling them to bypass a crucial security feature that safeguards sensitive cookies within Android browsers.

The SameSite attribute allows developers to control cookie access, which can block a cookie from appearing in HTTP responses if the user reaches the site through a link or redirect from another site.

Bypassing SameSite Protection with Intent Requests

Security expert Axel Chong revealed that he could circumvent SameSite protection by utilizing the intent scheme to access the target website. Intents serve as external protocol handlers enabling Android apps to interact, such as navigating from the browser to a Maps app or from an SMS to the browser.

“I stumbled upon this issue while exploring another intriguing bug related to intents,” Chong shared with The Daily Swig. “As intent URLs can reference the same application (Chrome in this instance) and create a new browsing context, I was curious about the potential security vulnerabilities they might introduce.”

Intent URLs should be treated as external sources and thus should adhere to SameSite restrictions. However, a proof-of-concept created by Chong in Python indicates that cookies with SameSite attributes can transfer when the web server initiates a redirect using an intent URL.

Stay updated with the latest web security news! Sign up for our newsletter here.

This method also compromises the Referer header, which identifies the origin of the request, enabling websites to manage access to their resources from outside origins.

“Both methods are typically employed to safeguard against CSRF (cross-site request forgery), therefore, their circumvention could lead to significant security risks,” Chong clarified.

Impact on Standard Redirects

Further analysis revealed that SameSite cookies are also retained during standard redirect requests without using the intent protocol.

Despite an earlier fix in Chrome, this safeguard was eventually reversed because it caused incompatible changes.

To restore secure behavior and prevent SameSite cookies from being sent during normal redirect requests, developers can use the experimental cookie feature flag (chrome://flags/#enable-experimental-cookie-features).

This flag does not resolve the insecure behavior of intent redirects, as Chong noted that the flag didn’t address this aspect and requires a separate fix.

No Simple Solution

Addressing this bug proved complicated as developers needed to establish criteria for identifying trusted applications, including browsers.

Ultimately, it was concluded to not trust intents due to potential risks where (a) other applications on the device might be untrustworthy and (b) websites could exploit Intent URLs/redirects to return to Chrome and possibly bypass SameSite restrictions.

The takeaway is that given the complex interactions between applications and browsers, developers should implement multiple layers of security within their applications.

“Browser security mechanisms (i.e., SameSite cookies, Fetch metadata) should serve as a part of a multi-faceted defense strategy. While they’re beneficial, they should not be the sole reliance for protection,” Chong advised.

IMPORTANT UPDATE Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption