Chrome’s CSP vulnerability puts billions of users at risk of data theft.

Threat Post reports that browsers based on the Chromium kernel have been exposed to a bypassable content security policy (CSP) vulnerability that leaves billions of users vulnerable to attackers stealing data and executing malicious code. According to Gal Weizman, a network security researcher at PerimeterX, the vulnerability (CVE-2020-6519) can be found in Windows, Mac and Android Chrome browsers, as well as Opera and Edge.

Chrome's CSP vulnerability puts billions of users at risk of data theft.

(From: PerimeterX)

If you’re still using Chrome 73, released in March 2019, and Chrome 83 by July 2020, update to Chrome 84 that has fixed the CVE-2020-6519 vulnerability as soon as possible.

As a web standard, content security policies (CSPs) are known to prevent certain types of attacks, such as cross-site scripting (XSS) and data injection (data-injection).

CSP allows the Web administrator to specify a valid source range for the browser to execute scripts so that a browser that is compatible with the standard performs only script load operations from trusted sources.

Chrome's CSP vulnerability puts billions of users at risk of data theft.

Browsers are vulnerable, but websites are not.

“CSP is the primary method that site owners use to enforce data security policies to prevent malicious shadow code from executing on their websites, so that when it bypasses browsers, individual users’ data is at risk,” Weizman said in a research note released Monday.

Most sites are now aware of CSP content security policies, including internet giants such as ESPN, Facebook, Gmail, Instagram, TikTok, WhatsApp, Wells Fargo and Zoom.

But a number of well-known sites have survived, including GitHub, Google Play Store, LinkedIn LinkedIn, PayPal, Twitter, Yahoo login pages, and Yandex.

Chrome's CSP vulnerability puts billions of users at risk of data theft.

To exploit this vulnerability, an attacker must first access the Web server through brute force or other means so that it can modify its JavaScript code.

An attacker could then add a frame-src or child-src instruction to JavaScript to allow the injection of code and force execution, bypassing the protection of the site CSP content security policy.

Although the vulnerability is rated as medium severity (6/10) by CvSS, it has a broader significance because it affects the execution of the CSP. In other words, the damage caused by the accident will be much more serious when the equipment is unfortunate.

Chrome's CSP vulnerability puts billions of users at risk of data theft.

For example, if the CSP is properly taken, websites can still restrict access to such sensitive information. But in a similar way, malicious Web developers can use third-party scripts to add some additional functionality to the payment page.

To make matters worse, the vulnerability has been in the Chrome browser for more than a year and was not fully fixed until recently. As a result, Weizman warns, the full impact of the vulnerability is not yet known.

Finally, to avoid the disclosure of sensitive data such as personally identifiable information (PII) as a result of such attacks, please immediately upgrade your browser to the latest version.