web browser to the latest available version, it would be an
excellent idea to do so as quickly as possible.
Cybersecurity researchers on Monday disclosed details about a
zero-day
flaw[1] in Chromium-based web
browsers for Windows, Mac and Android that could have allowed
attackers to entirely bypass Content Security Policy (CSP) rules
since Chrome 73.
Tracked as CVE-2020-6519[2] (rated 6.5 on the CVSS
scale), the issue stems from a CSP bypass that results in arbitrary
execution of malicious code on target websites.
According to PerimeterX, some of the most popular websites,
including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp,
Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and
Quora, were susceptible to the CSP bypass.
Tencent Security Xuanwu Lab more than a year ago, just a month
after the release of Chrome 73 in March 2019, but was never
addressed until PerimeterX reported the
issue earlier this March.
After the findings were disclosed to Google, the Chrome team
issued a fix for the vulnerability in Chrome 84
update[5] (version 84.0.4147.89)
that began rolling out on July 14 last month.
CSP is an extra layer of security that helps detect and mitigate
certain types of attacks, including Cross-Site Scripting (XSS) and
data injection attacks. With CSP rules, a website can mandate the
victim’s browser to perform certain client-side checks with an aim
to block specific scripts that are designed to exploit the
browser’s trust of the content received from the server.
enforce data security policies and prevent the execution of
malicious scripts, a CSP bypass can effectively put user data at
risk.
This is achieved by specifying the domains that the browser
should consider to be valid sources of executable scripts, so that
a CSP-compatible browser only executes scripts loaded in source
files received from those allow-listed domains, ignoring all
others.
The flaw discovered by Tencent and PerimeterX circumvents the
configured CSP for a website by merely passing a malicious
JavaScript code in the “src” property of an HTML iframe
element.
It’s worth noting that websites like Twitter, Github, LinkedIn,
Google Play Store, Yahoo’s Login Page, PayPal, and Yandex were not
found vulnerable since the CSP policies were implemented using a
nonce[7] or hash to allow the
execution of inline scripts.
“Having a vulnerability in Chrome’s CSP enforcement mechanism
doesn’t directly mean that sites are breached, as the attackers
also need to manage to get the malicious script called from the
site (which is why the vulnerability was classified as medium
severity),” PerimeterX’s Gal Weizman noted.
While the implications of the vulnerability remain unknown,
users must update their browsers to the latest version to protect
against such code execution. Website owners, for their part, are
recommended to use nonce and hash capabilities of CSP for added
security.
Besides this, the latest Chrome update
84.0.4147.125[8]
for Windows, Mac, and Linux systems also patches 15 other security
vulnerabilities, 12 of which are rated ‘high’ and two ‘low’ in
severity.
References
- ^
zero-day flaw
(www.perimeterx.com) - ^
CVE-2020-6519
(nvd.nist.gov) - ^
highlighted
(bugs.chromium.org) - ^
reported the issue
(bugs.chromium.org) - ^
Chrome 84 update
(chromereleases.googleblog.com) - ^
HTML iframe element
(developer.mozilla.org) - ^
nonce
(content-security-policy.com) - ^
Chrome update 84.0.4147.125
(chromereleases.googleblog.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/XTzNQ5YLZlg/chrome-csp-bypass.html