New Browser Flaws Let Hackers Bypass Security on Chrome, Edge, and Mobile Apps

Massive Browser Security Flaws Discovered by Tsinghua University Expose Millions to Cross-Origin Attacks

A groundbreaking study from security experts at Tsinghua University has exposed a hidden danger lurking in nearly every major web browser. These newly identified vulnerabilities allow attackers to launch cross-site scripting (XSS) attacks by bypassing one of the internet’s core security mechanisms: the Same-Origin Policy (SOP). By exploiting advanced web technologies like HTTP/2 server push and Signed HTTP Exchange (SXG), hackers can manipulate trusted browser behaviors and gain access to private user data across different websites.

In a digital age where we rely on browsers for everything from banking to messaging, this vulnerability has severe implications for global cybersecurity. Let’s dive into the full story behind the CrossPUSH and CrossSXG attack methods shaking the foundations of web safety.

Here’s What You Need to Know (Summary in 30 lines):

Security researchers from Tsinghua University have discovered two new attack techniques, CrossPUSH and CrossSXG, which can bypass the Same-Origin Policy (SOP) — a foundational web security rule designed to keep websites isolated from each other. These exploits target modern browser features like HTTP/2 server push and signed HTTP exchange (SXG), both of which are increasingly used to boost web performance.

The root of the issue lies in how browsers and HTTP protocols interpret authority differently. While browsers are strict about what defines a website’s origin — using the full combination of scheme (like HTTPS), domain, and port — the HTTP/2 protocol considers any domain listed in a TLS certificate’s SubjectAlternativeName (SAN) field as equal in authority. This mismatch creates a critical gap for attackers to exploit.

Researchers found two easy paths for acquiring shared certificates: by purchasing and reselling domains while holding onto certificates, or by hijacking unused “dangling” domains linked to expired cloud resources. In both cases, attackers can issue new certificates that group their malicious sites with high-trust ones.

The attack surface is vast. Out of 14 tested browsers, 11 were vulnerable, including popular ones like Chrome and Edge. Mobile platforms aren’t safe either, with apps like Instagram and WeChat also affected.

The numbers are staggering: over 10,000 resold domains from the Tranco Top 1 Million are potentially vulnerable. At least 5,000 more are dangling and could be hijacked. Even more shocking, 85% of the world’s top 1,000 websites share certificates with low-ranked or abandoned domains, creating dangerous security dependencies.

These attacks aren’t just theoretical. They can bypass even HTTPS protections and strict Content Security Policies. With the ability to execute scripts, steal cookies, initiate downloads, and compromise login sessions, these vulnerabilities represent a full-blown cyber threat.

Tsinghua researchers proposed four mitigation techniques and are actively working with browser vendors to patch the flaws. Tech giants including Microsoft, Huawei, and Baidu have acknowledged the issue. The challenge now is ensuring these fixes are rolled out universally before attackers exploit them on a wide scale.

What Undercode Say: (Analytical Commentary in 40 lines)

The discovery of CrossPUSH and CrossSXG represents a major turning point in web security discourse. These attacks do not rely on traditional hacking methods like phishing or brute force. Instead, they manipulate how browsers interpret trust. This is an architectural vulnerability — a mismatch in protocols — which makes it significantly harder to detect and block using conventional defense mechanisms.

The threat here is systemic. Because browsers are built to trust certificates and performance-enhancing technologies like HTTP/2, users and developers alike have assumed these systems were safe. But when trust is misassigned, especially across domains sharing certificates, attackers gain an unprecedented opportunity to operate beneath the radar.

It’s especially concerning that even HTTPS and Content Security Policy — long regarded as gold standards for secure development — offer no real protection here. This indicates a foundational flaw not in how websites are built, but in how browsers process identity and authority.

One of the more alarming revelations is how easily an attacker can gain access to shared certificates. Domain reselling is a legitimate practice, and dangling DNS entries are common among large corporations using cloud services. These are not rare edge cases — they’re normal internet behavior. This normalcy is exactly what makes the vulnerability so dangerous.

The fact that over 85% of the top 1,000 websites are at risk through shared certificates with obscure or inactive domains underscores the fragility of modern trust chains on the web. It shows that high-profile platforms are only as secure as the weakest domain listed alongside them.

What makes mitigation difficult is the distributed nature of the problem. It’s not enough for browser vendors to push patches. Domain owners, certificate authorities, and cloud platforms must all coordinate to close these gaps — a notoriously difficult undertaking.

If nothing else, this discovery highlights the urgent need to rethink how browsers validate origin authority. Simply put, SOP enforcement based on URLs cannot coexist with certificate-based authority spread across unrelated domains.

In the short term, tech companies should audit their certificate chains and eliminate shared SAN entries that include third-party or reseller domains. In the longer term, the industry must evolve beyond current certificate validation models to something more resilient against misuse.

Tsinghua’s work is a wake-up call. It shows how innovation in performance (like HTTP/2 server push) can open doors to security regressions. In the pursuit of speed, we cannot afford to sacrifice trust.

Fact Checker Results ✅

🔍 The research is credible, published by Tsinghua University’s security lab.
🔐 Vulnerabilities have been acknowledged by Microsoft, Huawei, and Baidu.
📉 Exploits affect both HTTPS-enabled sites and those using strict CSP.

Prediction 🔮

As awareness spreads, browser vendors will race to deploy patches. Certificate authorities may tighten rules on SAN usage, while organizations will begin scanning for dangling DNS records. In the long term, we may see a shift toward stricter domain isolation or browser-level changes that no longer rely so heavily on TLS certificate-based authority. The next generation of browser security will likely need to balance performance with verifiable trust — or risk another wave of systemic web attacks.