xdg-utils SameSite Cookie Vulnerability in xdg-open Command

A vulnerability exists in the xdg-open command of xdg-utils versions through 1.2.1, allowing requests to be sent with SameSite=Strict cookies. This could bypass Cross-Site Request Forgery (CSRF) protections. The issue arises because xdg-open is often used to open URLs from applications like email clients, and the browser interprets this as a manual navigation, thereby including SameSite-Strict cookies. This behavior can inadvertently weaken security by allowing CSRF attacks to succeed, contrary to the expected protection when navigating directly within the browser.

Impact

Exploitation of this vulnerability can lead to successful CSRF attacks, allowing malicious websites to perform actions on behalf of the user without their consent.

Reproduction

To reproduce this vulnerability, use an application that can send URLs to the xdg-open command, such as an email client or messaging app. Include a link that triggers a CSRF action and has a SameSite=Strict cookie. When the link is clicked, xdg-open will launch the default browser, which will send the SameSite-Strict cookie with the request, bypassing the intended CSRF protection.

Remediation

Major browser vendors have been notified and are aware of the issue. Discussions are ongoing to determine an appropriate solution. It is recommended to introduce an 'untrusted' mode or flag in browser command-line tools for opening external URLs, and to modify desktop environments or applications to use this flag when appropriate.