CVE-2018-20071 in Chrome
Summary
by MITRE
Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/27/2020
This vulnerability resides in the payment handler functionality of google chrome browser where insufficient origin validation occurs during javascript just-in-time payment application installation. The flaw exists in the payment app registration process where chrome fails to properly verify the origins of service workers that are being installed for payment handling purposes. When a malicious attacker crafts a specially designed html page, they can exploit this weakness to register a service worker under a domain they control, effectively bypassing the normal origin restrictions that should prevent such cross-domain installations. This vulnerability specifically affects chrome versions prior to 70.0.3538.67 and represents a significant security gap in the browser's payment handling architecture.
The technical implementation of this vulnerability stems from the payment handler registration API in chrome which allows web applications to register service workers for processing payment requests. During the installation process, chrome should enforce strict origin checks to ensure that service workers can only be installed for domains that are authorized to handle payments for that specific origin. However, the validation mechanism was insufficiently implemented, allowing attackers to manipulate the origin checking logic. The flaw essentially permits a malicious actor to install a service worker that can intercept payment requests and potentially serve attacker-controlled content or redirect payments to malicious endpoints.
The operational impact of this vulnerability is substantial as it creates a persistent attack vector that can be exploited through web-based delivery mechanisms. An attacker could craft a malicious webpage that, when visited by a user with chrome browser, would silently install a malicious service worker that intercepts all payment requests made through the browser. This service worker could then serve malicious content to the user, potentially redirecting payments to attacker-controlled accounts or collecting sensitive payment information. The attack requires no special privileges or user interaction beyond visiting the malicious webpage, making it particularly dangerous in phishing scenarios or compromised websites.
This vulnerability aligns with CWE-200, which addresses information exposure through improper access control, and CWE-352, which covers cross-site request forgery. The flaw also maps to attack techniques in the ATT&CK framework under T1190 for exploit for client execution and T1059 for command and scripting interpreter. The attack vector represents a sophisticated approach to persistent web-based compromise where the attacker gains long-term control over payment handling processes. The vulnerability demonstrates a critical weakness in browser-based payment security models where service worker registration mechanisms fail to properly enforce origin isolation.
Mitigation strategies for this vulnerability include updating to chrome version 70.0.3538.67 or later where the origin validation has been properly implemented. Organizations should also implement network monitoring to detect unusual service worker installations and payment request interception patterns. Browser security teams should consider additional validation mechanisms for service worker registration, particularly for payment-related contexts. Users should maintain current browser versions and exercise caution when visiting unfamiliar websites that might attempt to exploit such vulnerabilities. The fix implemented by google involved strengthening the origin validation checks during payment handler registration to ensure that only properly authorized domains can install service workers for payment processing, effectively closing the attack vector that allowed cross-domain service worker installation.