Posted on August 12, 2020 at 7:25 PM
A cybersecurity researcher revealed that Opera, Microsoft Edge, and Google Chrome users could be at risk of attack due to a single vulnerability in chrome-based web browsers.
According to the report, the vulnerability affects Windows, Mac, and Android users. The zero-day chromium-powered vulnerability was exploitable from March last year to July this year. Based on market share statistics for last month, Chromium powers more than 65 percent of web browser usage. That means the number of potential targets could reach billions.
The nature of vulnerability shows that most of the biggest websites in the world could be vulnerable to potential exploitation of the content security bypass threat. These firms also include big shots like Gmail, Facebook, Zoom, WhatsApp, TikTok, Roblox, Instagram, as well as ESPN.
PerimeterX researcher Gal Weizman, in a technical deep dive, explained how he discovered the vulnerability in the web-based browsers that impacted Opera, Edge, and Chrome from March last year till as recent as last month. He said the vulnerability could allow a threat actor to completely bypass CSP rules.
The vulnerability, known as CVE-2020-6519, can potentially impact almost all websites since a majority of them do not utilize enhanced content security policies (CSP) managed from the server-side.
GitHub and Yahoo among websites not at risk
The sites implemented the CSP using hash or nonce, in addition to the server-side protection that’s important too.
As the name implies, a content security policy is the main method of ensuring data security using policies that enable web owners to prevent the execution of malicious shadow code.
The CSP is employed to direct browsers to execute client-side rules by allowing specific requests or blocking them, It is intended to protect visitors to the website from the risk of executing malicious scripts on the client-side.
Weizman reiterated that “It is extremely risky when a vulnerability is found in the security mechanism that prevents such breaches,” since the affected websites depend heavily on the CSP for protection.
Any actual attack may not be as easy as it seems
Although the websites mentioned are at risk of a possible attack, it doesn’t mean hackers will succeed when they try to attack the targeted sites. In essence, even if a zero-day vulnerability exists, it doesn’t always translate to possible attacks. That’s because several other factors need to be in place before any attack is successful.
At least, before the vulnerability can lead to an actual attack, a threat actor would need to gain the ability to call a malicious script. That single factor explains why vulnerability is not termed a critical one but medium-risk vulnerability.
The flaw has been patched
The researchers say the vulnerability has been patched and updated sites are not at risk. Although the vulnerability has been patched, those who have not updated or applied the latest update are still at risk of attack. As a result, security researchers have warned users to get their updates done as soon as possible, especially those running the most recent Chrome 84 browser.
Even those using Opera or Edge can still check whether they have the complete update installed. They can do this by choosing the “About” option on the ‘Help” menu, which will lead them to the update section.
There is also a role for website owners who want to make sure they are completely covered and protected. Apart from the usual CSP policies, they should consider adding an extra layer of security. They can use data-based monitoring and detection of shadow code to prevent injection of code in real-time, as PerimeterX has recommended.
A senior public relations manager at Opera Julia Szyndielors mentioned that vulnerability has been patched. However, everyone needs to keep their browser up to date to avoid being subject to any flaw.
Apart from this, the most recent Chrome update 84.0.4147.125 update for Linux, Mac, and Windows systems also patches 15 other security vulnerabilities, out of which 12 are regarded as high-risk vulnerabilities.
He said he has also contacted Microsoft and Google with information about the vulnerability and actionable processes.