Ben Dickson 27 February 2023 at 11:50 UTC
Recent findings reveal vulnerabilities in protections against cross-site request forgery (CSRF), which may be exploited by malicious entities.
A critical vulnerability in the Chromium platform might allow attackers to sidestep a vital security feature designed to protect sensitive cookies in Android browsers.
The SameSite attribute is implemented to help developers restrict cookie access, ensuring that cookies do not appear in HTTP responses if users arrive at the site through a link from an external source.
Exploiting SameSite with Intent Requests
Security researcher Axel Chong identified a method to circumvent SameSite regulations by using the intent scheme to navigate to targeted URLs. Intents facilitate communication between various Android applications, such as transferring users from a web browser to a mapping app.
Chong stated, “I discovered this bug while exploring another intriguing issue with intents. Given that intent URLs can direct users back to the same app (in this case, Chrome) and create a new browsing context, I began to consider what security measures might be compromised.”
Intents should be treated as external entities and thus should adhere to SameSite cookie parameters. Nevertheless, a proof-of-concept developed in Python illustrated that cookies with specific settings persist when a web server issues a redirect using an intent.
Stay updated on the latest web security developments by subscribing to our newsletter!
This exploit also compromises the request’s Referer header, which typically specifies the origin of a request, empowering websites to manage access to their resources effectively.
“Both protections are often used to guard against CSRF, and this bypass negatively impacts their effectiveness,” emphasized Chong.
Redirect Issues Prevalent
Further examination disclosed that SameSite cookies can be carried over during standard redirect requests, devoid of intentional protocols.
This concern was previously addressed in an earlier iteration of Chrome but was later reversed due to resulting breaking changes.
Utilizing the experimental cookie feature flag (chrome://flags/#enable-experimental-cookie-features) can help resurrect secure practices, ensuring SameSite cookies are not dispatched during typical redirect operations.
However, this adjustment did not rectify the unsecured nature of intent redirects. Chong indicated that this aspect necessitated separate resolution.
Complex Fix Ahead
Addressing this vulnerability proved to be a challenge for developers, mainly due to the need to identify trusted applications, including browsers.
Ultimately, it was resolved that intents should not be deemed trustworthy due to concerns about the reliability of other applications on the device and potential exploitation of this route to bypass SameSite protections.
This situation elucidates the importance of implementing multiple layers of security within applications, given the complex communication pathways between apps and browsers.
“Security mechanisms such as SameSite cookies and Fetch metadata should serve as part of a broader defense strategy. While they are beneficial, they should not be solely relied upon,” Chong advised.
Based on an article from ports wigger: https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices
