Linux Entra SSO Chrome Extension Cookie Leakage Vulnerability

A vulnerability in the Linux Entra SSO Chrome extension, prior to version 1.8.1, allows for the unintentional leakage of the Microsoft Entra ID Primary Refresh Token (PRT) cookie to attacker-controlled websites. This issue arises because the extension's declarativeNetRequest rule for modifying headers is based on a substring match of the request URL, without proper safeguards. When broad host permissions are granted, an attacker can exploit this behavior to access the PRT cookie and hijack the user's SSO session.

Impact

Exploitation of this vulnerability allows an attacker to obtain the victim's Microsoft Entra ID Primary Refresh Token cookie, which can be used to access applications the user has consented to, effectively hijacking the SSO session until the token expires or is revoked.

Reproduction

To reproduce this vulnerability, first ensure that the Linux Entra SSO Chrome extension is installed and has broad host permissions enabled. Then, navigate to an attacker-controlled domain that can prompt the user to enable 'background SSO'. Once this is done, the attacker can initiate a request that includes 'https://login.microsoftonline.com/' in the path, which will trigger Chrome to attach the PRT cookie to the request, leaking it to the attacker.

Remediation

Users should update the Linux Entra SSO Chrome extension to version 1.8.1 or later, where this vulnerability has been fixed.