Browser CSP Bug Exposes Billions of Users Vulnerable to Data Theft
A bug was discovered recently in chromium-based browsers- chrome, opera, edge on Windows, Mac, and Android, which allows the attacker to bypass the CSP protocols entirely.
Gal Weizman, a JavaScript expert at Perimeter X, found the browser bug and vividly talked about it in his blog. The bug, CVE-2020-6519, was present in the chrome versions 73 to chrome version 83, but Google patched the vulnerability in its latest version, Chrome 84, which was launched this July.
What is CSP?
According to Wikipedia, Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
It is like a pact between the browser and the websites where the browsers block or disallow any irrelevant or harmful codes to ensure the safety of the websites and their users. It is the most basic security standard employed by the websites.
The flaw
Gal has explained the flaw demonstrating the execution of a Javascript code via different methods in the blog.
In typical situations, the browser blocks any attempt to run the demonstrated Javascript code. It happens because the website’s CSP settings disallow the source of the code or the actions intended to be performed by Javascript
But when he runs the code via Javascript src of iframe, the CSP on the website is bypassed completely.
As per Gal, the technique of the attack seems simple, but the consequences are enormous. He expresses his concerns here:
“Billions of browsers on any OS would have blindly allowed CSP privilege escalation for any unwanted code in a website.”
Some sites that were reported vulnerable by the expert were Facebook, WellsFargo, Gmail, Zoom, Tiktok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora, and more.
Weizman said that some websites like Twitter, Github, LinkedIn, Google Play Store, Yahoo’s Login Page, PayPal, and Yandex were not vulnerable to bugs because of using nonce or hash. Using nonce or hash added an extra layer of security to the site server and the client-server.
The bug has been claimed to be identified and reported a year ago, but no action was taken. The bug has been classified as medium severity and was rated 6.5 on the CVSS scale. The bug is a massive vulnerability, but for successfully implementing the attack, the attackers need to get the malicious script called from the site from where the trust is broken. It is quite challenging to get that access, but once it’s gained, the security is compromised by the attacker.
The websites primarily rely on CSP to handle third-party interventions. This may make them complacent enough to give the browser the comfort to allow some codes or scripts from outside sources.
The situation worsens because the chrome browser alone dominates almost about 65% of the browser market, which implies that a massive number of websites and users were vulnerable to the flaw before the update.
Although there have been no reports of the data breach until now, there is always a possibility of them arising in the future.
Do you like this article? Follow TheHackReport on Facebook, Twitter and LinkedIn to read more exclusive content we post.
