A recently patched bug in the Chromium project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers.
The SameSite setting enables developers to restrict access to cookies. For example, by setting SameSite=strict, this can prevent a cookie from showing up in HTTP responses if the user navigates to the website through a link or a redirect request from another website.
SameSite bypass with intent requests
Security researcher Axel Chong, however, discovered that he could bypass SameSite protection if he used the intent scheme to navigate to the target website. Intents are external protocol handlers that allow Android apps to open other apps, such as jumping from the browser to the Maps application or from an SMS to the browser.
“I came across this bug when I read this interesting bug on intents,” Chong told The Daily Swig. “As intent URLs could point to the same app (Chrome in this case) and create a fresh browsing context, I had then wondered what kind of security measures that intent URLs could possibly bypass.”
Intent URLs should be considered external sources and be subject to SameSite restrictions. But a proof-of-concept Chong created in Python shows that cookies with SameSite=strict settings carry over when the web server initiates a redirection with an intent URL
