Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy

Conference:  BlackHat EU 2020



The presentation discusses a vulnerability found in Chrome for Android's security mitigation, which allows for remote attacks on the browser. The vulnerability is caused by a hole in the course implementation in the render process.
  • Chrome for Android's security mitigation has a vulnerability caused by a hole in the course implementation in the render process
  • The vulnerability allows for remote attacks on the browser
  • The exploit chain involves downloading an HTML payload file to external storage and using a deep link to access content on the victim's device
  • The vulnerability was found by the Mobile Security Team of the lab and was demonstrated using the Wish app as an example
The exploit chain involves downloading an HTML payload file to external storage, which was found to be successful only when downloaded to the download directory of external shared storage. This allowed the team to access content on the victim's device using a deep link, demonstrating the vulnerability in Chrome for Android's security mitigation.


More security mitigations always mean securer software and more exploit cost. Chrome browser keeps introducing all kinds of security mitigation measures such as multi-process architecture[1], sandbox and CORS, which help Chrome become one of the securest browsers all over the world. However, we find that some mitigation won't make software safer but even introduce new vulnerabilities. Recently, network stack can be set out of 'Chrome browser process', running as a separate process called 'Network service'. And a new mitigation named 'OutOfBlinkCors'[2] (aka OOR-CORS) has landed in 'Network service'. We find that the Same-Origin policy will be broken if 'OutOfBlinkCors' is enabled on Chrome for Android. After a period of deep research, we succeed in developing a full exploit chain with six bugs/features to escape Chrome Sandbox to exfiltrate user privacy, such as personal pictures, private documents, and even clear text account credentials(username and password) of Google, Facebook and other third-party websites. And our exploit chain can be triggered inside Chrome Sandbox remotely, once the link in SMS, Email or websites is clicked. Besides Chrome for Android, Android webview is also vulnerable to the above bugs. We will choose one app called 'Wish' as a demo to show the attack effects. The process of our research is very interesting. Originally, our exploit chain works well on version 81 of Chrome for Android. But the chain is broken because of a fix of version 83. Finally, we come up with an interesting exploit skill to bypass it with the help of a pre-installed app in Pixel device, we name the exploit skill as 'reflection attack'. In this talk, we will detail the full exploit chain and analyze the Root-Cause of bugs in the chain. We will also demystify the trick which we have used to bypass the Scoped-Storage[3] enforcing, which is a mitigation measure introduced in Android 10. Besides, we will explain how we can escape Chrome Sandbox to carry out the attack. The bug chain has been reported to Google, assigned as 'Critical' severity, which is the most serious level in Chrome Vulnerability Reward Program. In short, security mitigations are designed to help protect against vulnerabilities, but it can introduce new vulnerabilities if implemented carelessly. To developers, more attention should be paid to avoid negative effects when introducing new mitigations. To security researchers, new mitigations could be good targets for bug hunting. References: [1] https://developers.google.com/web/updates/2018/09/inside-browser-part1 [2] https://www.chromestatus.com/feature/5768642492891136 [3] https://developer.android.com/about/versions/10/privacy/changes#scoped-storage