Chrome Ad Heavy Bypass - Not Every Vulnerability Has a CVE
Software and Hardware vendors and even some security researchers have a standard way to look at security vulnerabilities. They look at security vulnerabilities as only the ones that are a part of the catalog of known security threats. By definition, a security vulnerability is when a threat actor can execute code or bypass privileges in your system's code. However, we at SSD see security vulnerabilities more holistically. Vulnerabilities are not only what hackers can do to your systems but also what your systems fail to do.
Our latest advisory demonstrates precisely how these atypical vulnerabilities may affect products and why fixing them is essential for the ecosystem's health, even if they are not recognized as such. This latest advisory concerns an issue in the Chrome Ad-Heavy detection mechanism that allows it to be bypassed. While this is not a regular CVE but a security issue, it still affects the community and has long-lasting repercussions.
Google developed the Chrome Ad-Heavy detection mechanism to solve the issue of ads that consume a large amount of memory or CPU and negatively impact the users’ experience. Ad-Heavy limits the resources ads can use and unload ads that exceed the appropriate amount and affect the user’s experience.
An independent security researcher, Alesandro Ortiz, discovered that this mechanism could be bypassed as part of our impossible chrome challenge from this year's TyphoonConCTF. Alesandro bypassed this Ad-Heavy mechanism by using window.fetch, which delegates the network requests to a SharedWorker. The shared worker’s bandwidth is not tracked as part of the ad unit, so it can make the network request and then send the response back to the ad unit frame via postMessage without triggering Chrome’s ad intervention logic.
Even though this is not a regular security vulnerability with a CVE attached, we still decided to publish this vulnerability and pay the researcher. We feel that the Ad-Heavy mechanism offers protection against malicious malware and attacks that may disguise themselves as ads. This issue affects the community’s security as any other vulnerability, and fixing it will only make it safer. All of these made us launch a campaign focused on finding unorthodox vulnerabilities and exploits in Chrome alongside a generous $15,000 USD reward.
This issue presents us with a new way to think about security vulnerabilities that go out of the standard CVE oriented way. These past few years have taught us that hackers can use many different ways to harm our systems. Even a tiny flaw can cause a lot of harm. This is why we need to rethink security vulnerabilities and reward security researchers for finding them.
Here at SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
Researching a product but uncertain it can be defined as a vulnerability (and be paid for)? Our team is here to check it out!
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
