Security Analysis of the Site-Isolation Feature in Firefox
Security Analysis of the Site-Isolation Feature in Firefox
Supervisor(s): | Fabian Kilger |
Status: | finished |
Topic: | Others |
Author: | Hannah Fischer |
Submission: | 2025-02-17 |
Type of Thesis: | Bachelorthesis |
DescriptionThe Spectre attack, discovered in 2018, posed a huge risk to security, with one of the main targets being browsers. The attack made it possible for one website to steal data (e.g. credentials) from another website, provided they are in the same browser process. It sent OS , CPU and browser manufacturers scrambling to introduce fixes. In browsers, this meant separating websites into their own processes, only allowing websites considered “same-site” to be put into the same process. In this thesis, we take a look at a recent version of Firefox and present how this behavior can still pose a security risk. We first look at the implementation and show that websites considered “same-site” can steal data from each other. We then look at what is necessary in order to do that, what data an attacker could steal and how that can be achieved. Next, we implement a proof-of-concept exploit to confirm these findings. The presented exploit allows an attacker to steal cookies and values from local storage. Lastly, we put these findings into context and present mitigations for this attack. |