Key Information Vulnerability Overview Vulnerability Type: Site Isolation bypass Exploitation Method: Using Blob URL ID: 40092507 Status: Fixed Affected Versions: Chrome 61 (initially discovered) Current Verification Version: Chrome 71 dev (also reproducible in stable versions) Severity: S1 Priority: P1 Vulnerability Details Masato Kinugawa discovered that in Chrome 61, Site Isolation could be bypassed using UXSS and Blob URLs. Although UXSS is no longer present in the latest versions, the vulnerability remains exploitable by simulating renderer exploitation. Proof of Concept (PoC) 1. The response from https://www.google.com is readable 2. Cookies can be retrieved by accessing the DOM of the https://www.google.com iframe 3. Task Manager shows only one renderer process, indicating that the Blob URL and https://www.google.com iframe are in the same process Reproduction Steps 1. Visit https://www.shhnjk.com/blob.html and attach WinDbg to the renderer process 2. Set breakpoint: 3. Click the "Go!" button on the webpage 4. When WinDbg triggers the breakpoint, modify the "shhnjk" origin's "host" value to "google" 5. Modify the "shhnjk" public_url's "string" value to "google" 6. Press 7. Observe the vulnerability effect Involved Personnel Reporter: s....@gmail.com Assignee: a!....@chromium.org CC: Multiple team members and developers Additional Notes Mentions association with CVE-2017-5124; related code: GitHub Link