Site isolation security break uncovered
A newly fixed bug in the Chromium project allowed malicious parties to inject code in embedded site pages, even if these resources were isolated from the parent website.
A proof of concept provided by the security researcher who first reported the issue shows an attacker-controlled website exploiting the bug to change the contents of an embedded website, even though the target and destinations exist on separate domains.
According to a thread recently made public on the Chromium website, the bug could be exploited even when “site isolation” is enabled on the browser. Site isolation is a security feature that puts each website in a separate process in order to improve security.
According to the researcher, the inter-process communication of isolated processes contained a race condition, an attack that exploits vulnerabilities in systems that must complete a task in multiple steps. If there’s a short window of time in-between execution steps where the system is vulnerable, the attacker can exploit the security weakness to make harmful changes.
In the case of the Chromium project, an attacker could use a race condition attack to tamper with data buffers shared between the isolated processes of a parent and embedded websites.
This vulnerability could eventually enable attackers to inject malicious code into embedded pages or steal sensitive information from users, among other exploits.
The security flaw was reported in late March and patched by the end of April. The Google Vulnerability Rewards Program awarded the security researcher $15,000 for the discovery.
The flaw has been described as a “site isolation break because of double fetch of shared buffer”.
Commented on the finding, a spokesperson for Google told The Daily Swig, “We always appreciate working with the research community through our Vulnerability Rewards Program, and thanks to this report we were able to patch the issue in Chrome 90.”