Flaws found in the Google Chrome browser exploit billions of users to Data Theft
According to a new report, researchers have found that attackers can bypass the Content Security Policy (CSP) in Google’s Chromium-based browsers. This flaw discovered can exploit billions of users data who visit any website through Google Chrome.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
As the research says a bug in Google’s Chrome is detected CVE-2020-6519, also Opera and Edge, on Windows, Mac, and Android – potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman.
CSP is the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk
Further, the research also stated that all the popular websites like ESPN, Facebook, Gmail, Instagram, TikTok, WhatsApp, Wells Fargo, and Zoom use CSP. Meanwhile, some notable names were not affected, including GitHub, Google Play Store, LinkedIn, PayPal, Twitter, Yahoo’s Login Page, and Yandex.
In a similar way, website developers may allow third-party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.
the researcher said.
The bug started to parse the security starting from the Google Chrome version 73 and was informed to its developers and was later resolved in the Chrome version 84. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.