When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vulnerabilities.
We will explain how we were able to exploit hundreds of companies with over billions of users and were able to harvest over $100k in bounties. Even corporations like Google, Facebook, Gitlab, Coinbase and others who are very cautious with security measures were all vulnerable. The exploit, on one hand, demonstrates how sometimes not adhering to a simple-looking specification can turn into a disaster and on the other hand, how simply following the specification might not be enough.
We'll also talk about programs' responses to our reports and a general understanding of such vulnerabilities, fixes, and bypasses we came up with. Finally, we'll conclude with how to address such vulnerabilities using yet another browser feature.