Ben Dickson27 February 2023 at 11:50 UTC
Recent vulnerabilities have exposed flaws in protections against cross-site request forgery (CSRF).
An alarming issue in the Chromium project has been identified, allowing unauthorized users to bypass critical security features designed to protect sensitive cookies on Android devices.
The SameSite attribute allows developers to restrict cookie access, thus preventing cookies from appearing in HTTP responses when users come from links or redirect requests from other websites.
SameSite Bypass via Intent Requests
Researcher Axel Chong discovered a method to circumvent SameSite protections through intent requests that navigate users to target sites. Intents function as external protocol handlers, allowing Android applications to transition between one another; for instance, moving from a web browser to a maps application.
“I found this vulnerability while exploring another intriguing issue related to intents,” Chong shared with The Daily Swig. “Because intent URLs can refer back to the same application (like Chrome), they generate a new browsing context, prompting me to consider what security protocols intents might bypass.”
Intent URLs should ideally be treated as external sources, subject to SameSite restrictions. However, Chong’s proof-of-concept, created in Python, illustrated that cookies with SameSite settings persist when the web server redirects using an intent URL.
This intent-based approach also circumvents the HTTP header responsible for indicating the source of the request, thereby allowing websites to govern access to their resources from different origins.
“These mechanisms are typically employed to prevent CSRF attacks, so the consequence would be the erosion of these protective measures,” added Chong.
Impact on Normal Redirects
Moreover, further analysis revealed that SameSite cookies were also being maintained through standard redirect requests, even without utilizing the intent protocol.
This issue had previously been addressed in an earlier iteration of Chrome but was later retracted due to adverse effects.
Utilizing an experimental flag (chrome://flags/#enable-experimental-cookie-features) would reinstate secure behavior by preventing SameSite cookies from being transmitted during ordinary redirect requests. However, this flag does not resolve the insecure behavior stemming from intent redirects.
A Complex Resolution
The rectification of this bug proved challenging as developers had to navigate the complexities of identifying trusted applications, including web browsers.
Ultimately, the decision was made not to place trust in intents, primarily due to two concerns: (a) the potential untrustworthiness of other applications on the device, and (b) the risk that websites could leverage Intent URLs/redirects to revert back to Chrome, thereby evading SameSite restrictions.
This scenario underscores the importance of incorporating multiple security layers within applications, as communication between apps and browsers can be intricate.
“Security features like SameSite cookies and Fetch metadata should be viewed as part of an overarching strategy, not as solitary solutions,” advised Chong.
Based on an article from portsieger.net: https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices
