A bug in the Chromium enables attackers to bypass site isolation protection through iFrames and popup windows to carry out a host of malicious activities.
Due to this numerous exploits including stealing private information, reading and modifying cookies, and gaining access to microphone and camera feeds.
Site isolation puts each origin’s renderer in a different process to prevent different websites in a browser from accessing each other’s data. The technology also allows the browser to assign each renderer a specific origin, which it calls process locks.
There are other checks that are also used to enforce site isolation, but they’re less robust than process locks. This bug bypasses these less-robust checks
The vulnerability is triggered if an embedded iFrame opens a new window, such as a popup or a new tab, with a specially crafted URL that keeps the initial navigation entry for the new window. It can then access the data of the top window.
There are only a couple of ways to trigger the bug, but there is a broad range of ways to exploit it. Anything that has not been protected by process locks can be exploited through the vulnerability.
A conflict of the logic behind the functions for opening new windows in the browser introduced the site isolation bypass in one of the commits in Chromium version 98. This bug was in Chrome Canary for about four months and in the Stable release for around two months before it was discovered.
Ortiz was the researcher worked on this finding and awarded $20,000 in bug bounty by the Google Vulnerability Reward Program panel, of which he gave $4,000 to a collaborating researcher