Chrome Browser Bug Exposes Exposes User Data
A vulnerability in Chromium based browsers could allow hackers to bypass the Content Security Policy (CSP) on websites and steal data or execute malicious code. The flaw, CVE-2020-6519, affects Chrome, Opera and Edge browsers. This flaw potentially affects billions of users. Chrome versions 73 through 83 are affected. Chrome version 84 doesn't have the flaw.
CSP is a web standard that's meant to prevent cross-site scripting and data injection attacks. CSP allows web admins to specify the domains that a browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those domains. CSP is the main method to enforce data security policies to prevent malicious code executions so when it can be bypassed, user data is vulnerable.
Most websites use CSP, including Facebook, Gmail, Instagram, TikTok, WhatsApp, and Zoom. To exploit the vulnerability, a hacker needs to get access to the web server through brute-forcing passwords or another method. They then need to modify the JavaScript code it uses. Finally, the hacker could add a frame-src or child-src directive in the JavaScript to inject malicious code to load and execute it, bypassing the CSP enforcement and bypass the site's policy.
The vulnerability has been in Chrome browsers for more than a year before being fixed. It is highly likely that we see hews of data breaches in the coming months. Users should update their browsers to the latest versions.