If you have not recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be a good idea to do so as soon as possible.
Cybersecurity investigators on Monday released details of a zero-day bug in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to circumvent Content Security Policy (CSP) rules since Chrome 73.
Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the problem comes from a CSP bypass that results in random execution of malicious code on target websites.
According to PerimeterX, some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were sensitive to the CSP bypass.
Interestingly, it seems that the same bug was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but was never addressed until PerimeterX reported the issue earlier this March.
After the findings were revealed to Google, the Chrome team released a fix for the vulnerability in Chrome 84 update (version 84.0.4147.89) which started rolling out on July 14 last month.
CSP is an additional layer of security that helps detect and reduce certain types of attacks, including cross-site scripting (XSS) and data injection attacks. CSP rules allow a website to mandate the victim’s browser to perform certain client page checks with the aim of blocking specific scripts that are designed to use the browser’s trust in the content received from the server.
Given that CSP is the primary method used by website owners to enforce data security policies and prevent the execution of malicious scripts, a CSP bypass can effectively endanger user data.
This is accomplished by specifying the domains that the browser should consider valid sources as executable scripts, so that a CSP-compatible browser only executes scripts loaded into source files received from those domains with allowed list, and ignores all others .
The bug discovered by Tencent and PerimeterX bypasses the configured CSP for a web page by simply passing malicious JavaScript code in the ‘src’ property of an HTML iframe element.
It is worth noting that websites such as Twitter, Github, LinkedIn, Google Play Store, the login page of Yahoo, PayPal, and Yandex have not been found vulnerable since CSP policies were implemented with a nonce or hash to implement to allow inline scripts.
“Having a vulnerability in Chrome’s CSP enforcement mechanism does not directly mean that pages have been hacked, because attackers also have to manage to get the malicious script that is being cited from the site (which is why the vulnerability was classified as medium severity), “PerimeterX’s Gal Weizman noted.
While the implications of the vulnerability remain unknown, users should update their browsers to the latest version to protect against such code execution. Website owners, for their part, are advised to use CSP nonce and hash capabilities for added security.
In addition to this, the latest Chrome update 84.0.4147.125 for Windows, Mac and Linux systems also fixes 15 other security vulnerabilities, of which 12 were rated ‘high’ and two ‘low’ in severity.
.
