Critical vulnerability breaks Site Isolation feature in Google Chrome. Update immediately

Cybersecurity specialists report the detection of a flaw that would allow threat actors to abuse a set of load optimization features in Google Chrome to evade the Site Isolation feature. Chrome uses Same Origin Policy to prevent websites from accessing data on other platforms within the same browser, although some flaws such as Spectre open avenues to evade this security mechanism.

Launched from ideas implemented by Firefox, Site Isolation makes it much harder for malicious websites to steal information from other active pages, even if a cross-domain website is embedded in another website via an iframe.

The Google Project Zero report notes that researchers managed to evade this layer of security by exploiting a bug in Google’s service worker role. This is a piece of JavaScript code executed in the background and separate from the web page in use, recognizing functions that do not require interaction with the user, such as push notifications and synchronization functions.

Sergei Glazunov, a researcher at Google, mentions that the exploit begins when a malicious website uses the “navigation preload” function, loading a URL in parallel to the start of the service worker. The malicious code would use a URL loader with Cross-Origin Read Blocking (CORB) disabled. CORB is an algorithm that prevents cross-origin resource loads in web browsers before they reach the web page.

When the attackers have the URL loader disabled for CORB ready, it is passed to the service worker, where it loads the requested content and initiates a self-destruct process.

In theory, the URL loader avoids redirects, but since the service worker has access to the URL loader interface, it is possible to modify its behavior to follow the redirect and read the full response even if it is from a cross-origin domain. Under these conditions, Site Isolation will not prevent malicious code from accessing data outside its limits.

Glazunov prepared a proof of concept (PoC) to show how an attacker can use the bug to request a Gmail URL and gain access to a user’s cookies and data. The flaw was addressed in Chrome 96, so users are advised to keep their browser always up to date.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.