A researcher from Google Project Zero Team discovered a site isolation bypass vulnerability affecting the Chrome browser. Google subsequently patched the bug with Chrome 96 stable release.
Google Chrome Site Isolation Bypass
Reportedly, Sergei Glazunov from Project Zero found a site isolation bypass affecting Google Chrome and the underlying Chromium codebase.
As elaborated in the researchers’ bug report, a malicious website could exploit the navigation preload feature for this bypass.
The browser process requests a trusted, CORB-disabled URL loader factory from the network service in order to handle navigation preload for service workers…
When a preload request is initiated, the browser process passes the newly created `URLLoader` remote and `URLLoaderClient` receiver to the designated service worker…
In the service worker process, the `URLLoaderClient` receiver gets bound to a `NavigationPreloadRequest` object. If the object receives a redirect notification, it doesn’t follow the redirect, but resolves the `preloadResponse` JS promise and destroys itself…
However, since the `URLLoader` interface is exposed to the worker process, after achieving code execution inside the renderer, an attacker can modify `OnReceiveRedirect()` to instead call `URLLoader::FollowRedirect()`.
Google Fixed The Vulnerability
The researcher reported this vulnerability in October 2021, mentioning Google Chrome 95.0.4638.54 and Chromium 97.0.4677.0 as vulnerable products.
Consequently, Google fixed the flaw (CVE-2021-38010) with the release of Chrome 96.0.4664.45 in November 2021, alongside other bug fixes.
Since the bug has received the fix, users must ensure running the latest Chrome release on their devices.
Google introduced site isolation as a security feature preventing cross-site interaction within the browser by restricted resource allocation. As the browser limits every website to run in sandbox, a malicious website can’t access sensitive data from other sites.
This feature also served as a workaround to mitigate the infamous Meltdown and Spectre vulnerabilities in 2018. Following its success, Mozilla also introduced a similar feature in its Firefox browser in 2020.