Vulnerability in Google Chrome browser allows attackers steal data from website visitors


Flaws found in the Google Chrome browser exploit billions of users to Data Theft

According to a new report, researchers have found that attackers can bypass the Content Security Policy (CSP) in Google’s Chromium-based browsers. This flaw discovered can exploit billions of users data who visit any website through Google Chrome.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

As the research says a bug in Google’s Chrome is detected CVE-2020-6519, also Opera and Edge, on Windows, Mac, and Android – potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman.

CSP is the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk


Further, the research also stated that all the popular websites like  ESPN, Facebook, Gmail, Instagram, TikTok, WhatsApp, Wells Fargo, and Zoom use CSP. Meanwhile, some notable names were not affected, including GitHub, Google Play Store, LinkedIn, PayPal, Twitter, Yahoo’s Login Page, and Yandex.

For exploiting the security flaw, the attacker first needs to gain access to the webserver (through brute-forcing passwords or another method), which allows modifying the JavaScript code it uses. With the modification access, the threat attacker could add a frame-src or child-src directive in the JavaScript to allow the injected code to load and execute it, bypassing the CSP enforcement and thus bypassing the site’s policy, explained Weizman.

In a similar way, website developers may allow third-party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.

the researcher said.

The bug started to parse the security starting from the Google Chrome version 73 and was informed to its developers and was later resolved in the Chrome version 84. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments