A researcher discovered a severe vulnerability in Chromium that allowed SameSite cookie bypass on Android browsers. Google patched the flaw following the bug report.
Chromium SameSite Cookie Bypass Vulnerability
Security researcher Axel Chong discovered and reported a SameSite cookie bypass vulnerability affecting Chromium Android browsers.
According to the bug report, Chong found that he could evade the SameSite cookie restriction on Android browsers using the Intent scheme for site navigation.
Possible to bypass SameSite cookie on Android by redirecting to Intent and continuing to stay in Chrome.
Chong also shared the steps for reproducing the vulnerability, demonstrating the bypass that could allow evading SameSite cookie restriction.
Commenting about his findings with The Daily Swig, the researcher explained that he noticed the vulnerability when working on Intents. He wondered how Intent URLs could allow security bypass while elaborating that this vulnerability could also lead to cross-site request forgery (CSRF).
The discussion on Chong’s bug report also highlighted that Chrome had previously fixed a similar issue, where normal redirects also passed SameSite cookies. However, he could still observe this behavior, which suggested that Chrome somehow disabled it at some point.
Google Fixed The Vulnerability
Chong reported this issue to Google in September 2022, triggering much discussion. It was difficult for the developers to address this problem since it required determining trusted apps since Android’s security model didn’t reveal the sender of an Intent.
The comments on the bug report indicate how trusting incoming Intents for all apps could allow SameSite restriction bypasses for all apps. Hence, after a thorough discussion, the developers eventually decided to disallow SameSite cookies for untrusted apps.
The researcher also tested and confirmed the fix deployed with 109.0.5397.0 Android Chrome Canary in November 2022. Afterward, the developers took some time to address the same issue for custom tabs before allowing bug disclosure.
Besides deploying the patch, Google rewarded the researcher with a $5000 bounty according to the Vulnerability Reward Program.
Let us know your thoughts in the comments