Ben Dickson 27 February 2023 at 11:50 UTC
Recent advancements in security measures against cross-site request forgery have revealed potential vulnerabilities that could be exploited.
A recently patched vulnerability within the Chromium project has the potential to allow malicious individuals to bypass a protective feature designed to safeguard sensitive cookies on Android browsers.
The SameSite attribute enables web developers to restrict cookie access. For instance, by implementing this attribute, it ensures that a cookie does not appear in HTTP responses when a user navigates to the site via a link or redirect from a different website.
SameSite Security Bypass Using Intent Requests
Security researcher Axel Chong recent findings have shown that the SameSite protection can be bypassed when utilizing the intent scheme for navigation to the intended website. Intents serve as external protocol handlers, facilitating actions such as moving from a web browser to the Maps app or from messaging applications back to the web.
“I discovered this vulnerability while examining another intriguing bug associated with intents,” Chong disclosed to The Daily Swig. “As intent URLs can refer to the same application (Chrome in this instance) and establish a new browsing context, I began to question which security protocols might be bypassed by these intent URLs.”
Intent URLs are generally considered external sources and should be governed by SameSite precautions. However, a proof-of-concept developed by Chong in Python indicated that cookies with certain settings persist when the web server initiates a redirect via an intent URL.
Stay updated on the latest web security news by signing up for our newsletter here.
This same approach was found to sidestep the HTTP header, which clarifies the origin of requests and empowers websites to manage access to their resources from external origins.
“Both techniques are commonly utilized to defend against CSRF (cross-site request forgery), so the implication is that such protective measures can be circumvented,” Chong asserted.
Impact on Regular Redirects
Further examination revealed that SameSite cookies are also retained during standard redirect requests, even without the intent protocol.
While an earlier version of Chrome addressed this issue, the resolution was subsequently retracted due to potential compatibility issues.
The experimental cookie setting (chrome://flags/#enable-experimental-cookie-features) would reinstill secure functionality, preventing SameSite cookies from being forwarded during normal redirect requests.
This experimental setting, however, did not remedy the insecure handling of intent redirects. Chong additionally pointed out that separate fixes were necessary for the related behavior.
Challenges in Resolving the Issue
Addressing this vulnerability was complex as developers needed a method to identify trustworthy applications, which includes web browsers.
A decision was ultimately reached to refrain from trusting intents since “(a) other applications on the device might not be reliable, and (b) websites can exploit Intent URLs/redirects to revert to Chrome, enabling the evasion of SameSite restrictions.”
This scenario illustrates that given the intricate nature of how applications and browsers communicate, it is crucial for developers to implement multiple layers of security within their applications.
“These kinds of browser security measures (such as SameSite cookies and Fetch metadata) are intended to serve as a secondary defense. While they provide an added layer of protection, they should not be relied upon as the sole means of security,” Chong emphasized.
Based on an article from ports.wigger.net: https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices
