Ben Dickson 27 February 2023 at 11:50 UTC
Recent vulnerabilities have raised concerns about the effectiveness of cross-site request forgery protections.
A recently patched issue within the Chromium project has revealed a potential weakness that could allow attackers to circumvent security mechanisms designed to safeguard sensitive cookies on Android web browsers.
The SameSite attribute is a critical feature that enables developers to limit cookie access, thereby protecting users’ data. For instance, using this feature can prevent cookies from being included in HTTP responses when a user reaches a website through links or redirect requests originating from other sites.
Bypassing SameSite with Intent Requests
Security expert Axel Chong made a significant discovery: he could bypass the SameSite protections by utilizing the intent scheme to navigate to the targeted site. Intents function as external protocol handlers, allowing Android apps to launch other applications, such as transitioning from a web browser to the Maps app or vice versa.
“I stumbled upon this issue while examining another interesting bug related to intents,” Chong shared with The Daily Swig. “Since intent URLs can lead back to the same app (Chrome in this case) and create a new browsing context, I became curious about the potential security implications.”
Despite the fact that intent URLs should qualify as external sources and be subjected to SameSite constraints, Chong’s proof-of-concept in Python demonstrated that cookies encoded with these settings may still persist when the web server triggers a response redirect using an intent URL.
Stay updated with the latest web security news! Subscribe to our newsletter here.
This same mechanism also circumvents the Origin header, which indicates the request’s source, allowing websites to manage access to their resources from external origins.
“Both mechanisms are typically utilized to defend against CSRF (cross-site request forgery), meaning their circumvention has significant implications,” Chong added.
Impact on Normal Redirects
Further analysis revealed that SameSite cookies are also transmitted through standard redirect requests, even without the intent protocol.
While prior versions of Chrome addressed this issue, the fix was retracted due to complications it introduced.
Activating the experimental cookie feature flag (chrome://flags/#enable-experimental-cookie-features) would reinstate secure behavior, preventing SameSite cookies from being sent over standard redirect requests.
However, this flag did not remedy the insecure behavior manifested through intent redirects. Chong also noted that the flag had no effect on the Origin behavior, which required separate rectification.
Challenges in Implementing a Solution
Addressing the flaw was complex, as developers needed to figure out how to identify trusted applications, including web browsers.
Ultimately, it was decided to refrain from trusting intents due to concerns that “(a) other applications on the device may not be reliable and (b) websites could leverage Intent URLs/redirects to revert back to Chrome, potentially exploiting it to bypass SameSite constraints.”
This incident serves as a reminder that due to the intricate ways apps and browsers can interact, developers must implement multiple layers of security across their applications.
“These browser security features (like SameSite cookies, Fetch metadata) are designed for defense-in-depth purposes. Utilize them but do not depend solely on them for protection,” Chong recommended.
IMPORTANT: Don’t miss out on our deserialized web security roundup covering various security incidents and advancements.
Based on an article from portswwigger.net: https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices
