Safe browsing: Google fixes Chrome Site Isolation bypass bug

Vulnerability in Chrome’s service worker feature created chink in browser’s armor

A set of features meant to speed up web page loading in Chrome contained a bug that allowed attackers to bypass the browser’s Site Isolation feature, a security researcher has discovered.

Chrome uses Same Origin Policy to prevent websites from accessing each other’s data inside the browser, but sometimes, subtle security bugs such as Spectre open pathways to bypassing these policies.

Site isolation

Site Isolation is an additional line of defense that protects browsers against such threats. Introduced to Google Chrome in 2018 and replicated in last month’s Firefox release, Site Isolation means documents from different websites are rendered independently rather than in a shared process.

This makes it much harder for malicious websites to steal information from other websites. Even if a cross-domain website is embedded in another website through an iframe, Site Isolation will still load it in a separate process to protect its information.

Service worker contracts bug

However, Sergei Glazunov at Google’s Project Zero bypassed Site Isolation by leveraging a bug in Chrome’s service worker feature.

A service worker is JavaScript code that runs in the background, separate from the web page, and supports functions that don’t require user interaction such as push notifications and background sync.

Read more of the latest browser security news

According to Glazunov’s report, the exploit starts when a malicious website uses ‘navigation preload’, a feature that loads a URL in parallel to booting the service worker. In this case, the malicious code uses a URL loader with Cross-Origin Read Blocking (CORB) disabled. CORB is an algorithm that prevents cross-origin resource loads in web browsers before they reach the web page.

Once the CORB-disabled URL loader is ready, it is passed on to the service worker, where it loads the requested content and destroy itself.

The URL loader is supposed to prevent redirects, but since the service worker has access to URL loader interface, it can modify its behavior to follow the redirect and read the full response even if it’s from a cross-origin domain.

Moreover, the Site Isolation feature will not block the code from accessing the off-bounds data.

In proof-of-concept code, Glazunov shows how an attacker can use the bug to request a Gmail URL and get access to a user’s cookies and data.

The issue was fixed in Chrome 96.

RELATED Severe Chrome bug allowed RCE on devices running remote headless interface