Ben Dickson December 21, 2021 15:20 UTC
Update time: December 21, 2021 15:42 UTC
Vulnerability in Chrome Service Worker’s functionality created a crack in the browser’s armor
A security researcher discovered that a set of features designed to speed up the loading of web pages in Chrome contains a vulnerability that allows an attacker to bypass the browser’s site isolation feature.
Chrome uses the same-origin policy to prevent websites from accessing each other’s data within the browser, but sometimes subtle security vulnerabilities such as Spectre open up ways to bypass these policies.
Site isolation
Site isolation is an additional line of defense to protect the browser from such threats. Google Chrome was introduced in 2018 and replicated in the Firefox version last month. Site isolation means that documents from different websites are presented independently, rather than during the sharing process.
This makes it more difficult for malicious websites to steal information from other websites. Even if a cross-domain website is embedded in another website via an iframe, Site Isolation will still load it in a separate process to protect its information.
Service Worker contract error
However, Sergei Glazunov of Google Zero Project used a bug in the Chrome service worker function to bypass site isolation.
Service Worker is JavaScript code that runs in the background, independent of web pages, and supports functions that do not require user interaction, such as push notifications and background synchronization.
Read more latest browser security news
according to Glazunov’s reportWhen a malicious website uses “navigation preloading”, the exploit starts, and the function loads the URL at the same time as the service worker is started. In this case, the malicious code uses a URL loader that disables cross-origin read blocking (CORB). CORB is an algorithm that prevents cross-origin resource loading before the web browser reaches the web page.
Once the URL loader with CORB disabled is ready, it is passed to the Service Worker, where it loads the requested content and destroys itself.
The URL loader should prevent redirection, but since the Service Worker can access the URL loader interface, it can modify its behavior to follow the redirection and read the complete response, even if it comes from a cross-domain domain.
In addition, the site isolation feature does not prevent code from accessing out-of-bounds data.
In the proof-of-concept code, Glazunov showed how an attacker can use the vulnerability to request a Gmail URL and access the user’s cookies and data.
This issue has been fixed in Chrome 96.
related Critical Chrome error allows RCE on devices running remote headless interfaces
