Ben Dickson 27 February 2023 at 11:50 UTC
Recent findings revealed that protections against cross-site request forgery (CSRF) may be circumvented.
A recently addressed vulnerability within the Chromium project could enable malicious entities to bypass security features intended to protect sensitive cookies on Android browsers.
The SameSite attribute allows developers to limit cookie access. For instance, configuring this setting can prevent a cookie from appearing in HTTP responses when a user accesses a website through a link or redirect from another site.
SameSite Bypass via Intent Requests
Security expert Axel Chong identified a way to bypass SameSite protection by employing the intent scheme to navigate to a target website. Intents are external protocol handlers that enable Android applications to open other apps, facilitating transitions from a browser to the Maps application or from an SMS to the browser.
“I encountered this bug while exploring this intriguing bug about intents,” Chong shared with The Daily Swig. “As intent URLs can direct to the same app (Chrome), creating a new browsing context, it made me curious about what security measures those URLs might evade.”
Intent URLs should be treated as external sources and be subject to SameSite regulations. Nevertheless, a proof-of-concept that Chong developed in Python demonstrates that cookies with such settings persist when a web server initiates a redirect using an intent URL.
This method also circumvents the Referrer header, which indicates the origin of a request and grants websites the ability to manage access to their resources from external sources.
“Both methods are typically employed to guard against CSRF (Cross-Site Request Forgery), thus the consequence would be the evasion of these safeguards,” Chong noted.
Implications for Normal Redirects
Further analysis indicated that SameSite cookies are also retained during standard redirect requests without utilizing the intent protocol.
Though this issue was addressed in a prior version of Chrome, it was subsequently reversed due to causing significant changes.
The experimental cookie feature flag (chrome://flags/#enable-experimental-cookie-features) would reinstate the secure behavior, preventing SameSite cookies from transferring during ordinary redirect requests.
This flag does not mitigate the insecure behavior associated with intent redirects, and Chong mentioned that the flag’s effect did not extend to the Referrer behavior, which needs independent resolution.
Challenges of Developing a Fix
Rectifying this bug presented challenges as developers needed to assess how to identify trusted applications, particularly browsers.
Ultimately, a decision was made not to trust intents due to concerns that “(a) other applications on the device might not be reliable, and (b) websites could leverage Intent URLs/redirects to revert back to Chrome, potentially using it to slip past SameSite restrictions.”
This situation illustrates that, given the complex ways applications and browsers can interact, developers should implement multiple layers of security within their applications.
“These types of browser security mechanisms (i.e., SameSite cookies, Fetch metadata) are intended to serve as defense-in-depth strategies. While they should be utilized, they must not be relied upon as the sole means of protection,” Chong emphasized.
Based on an article from ports wigger: https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices
