The CVE-2020-6519 bug was found in Google Chrome, Opera and Microsoft Edge, leaving Android, Mac, as well as Android users at risk.
A zero-day chromium-powered web browser vulnerability was exploitable between March 2019 and July 2020, that could bypass the CSP on websites, to steal user data.
The CVE-2020-6519 bug was found in Google Chrome, Opera and Microsoft Edge, leaving Android, Mac, as well as Android users at risk.
The vulnerability allows attackers to bypass Content Security Policy (CSP) protections and steal data from website visitors.
PerimeterX reports that some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, Investopedia, WhatsApp, Roblox, ESPN, TikTok, Blogger, Instagram and Quora were susceptible to the CSP bypass.
The same flaw was highlighted by Tencent Security Xuanwu Lab more than a year ago, soon after the release of Chrome 73 in March 2019, but never dealt with until PerimeterX reported the issue.
What is CSP?
Content Security Policy(CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
After the findings were disclosed to Google, the Chrome team issued a fix for the vulnerability in Chrome 84 update (version 84.0.4147.89) that began rolling out on July 14 last month.
The attacker initially needs to gain entry to the web server ( through brute-forcing passwords or another method), to be able to modify the JavaScript code it uses. Later, the attacker could induce a frame-src or child-src directive in the JavaScript to allow the injected code to load and execute it, bypassing the site’s policy, explains Weizman.
Users must update their browsers to the latest version to safeguard against such code execution. Website owners, for their part, are recommended to use nonce and hash capabilities of CSP for added security.
The latest Chrome update 84.0.4147.125 for Windows, Mac, and Linux systems patched up 15 other security vulnerabilities, out of which 12 are rated `high’ and 2 `low’ in severity.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?