January 23, 2022

TheCyberThrone

Thinking Security ! Always

Google Fixes Site isolation Bug in Chrome

Google Chrome has a set of features to speed up the page loading.  Bug was discovered that allows attackers to bypass the browser’s Site Isolation feature. Chrome uses Same Origin Policy to prevent websites from accessing each other’s data inside the browser. Security bugs such as Spectre open pathways to bypassing these policies.

Site isolation Feature

Site Isolation is a line of defense that protects browsers against such threats. Site Isolation means documents from different websites are rendered independently rather than in a shared process. This makes it much harder for malicious websites to steal information from other websites. Even if a cross-domain website is embedded in another website through an iframe, Site Isolation will still load it in a separate process to protect its information.

Advertisements

Service worker bug

Researchers bypassed Site Isolation by leveraging a bug in Chrome’s service worker feature. A service worker is JavaScript code that runs in the background, separate from the web page, and supports functions that don’t require user interaction such as push notifications and background sync.

The exploit starts when a malicious website uses ‘navigation preload’, a feature that loads a URL in parallel to booting the service worker. In this case, the malicious code uses a URL loader with Cross-Origin Read Blocking (CORB) disabled. CORB is an algorithm that prevents cross-origin resource loads in web browsers before they reach the web page.

Once the CORB-disabled URL loader is ready, it is passed on to the service worker, where it loads the requested content and destroy itself. The URL loader is supposed to prevent redirects, but since the service worker has access to URL loader interface, it can modify its behaviour to follow the redirect and read the full response even if it’s from a cross-origin domain. Site Isolation feature will not block the code from accessing the off-bounds data. The issue was fixed in Chrome 96.

%d bloggers like this: