A bug was discovered recently in chromium-based browsers- chrome, opera, edge on Windows, Mac, and Android, which allows the attacker to bypass the CSP protocols entirely.
What is CSP?
According to Wikipedia, Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
It is like a pact between the browser and the websites where the browsers block or disallow any irrelevant or harmful codes to ensure the safety of the websites and their users. It is the most basic security standard employed by the websites.
As per Gal, the technique of the attack seems simple, but the consequences are enormous. He expresses his concerns here:
“Billions of browsers on any OS would have blindly allowed CSP privilege escalation for any unwanted code in a website.”
Weizman said that some websites like Twitter, Github, LinkedIn, Google Play Store, Yahoo’s Login Page, PayPal, and Yandex were not vulnerable to bugs because of using nonce or hash. Using nonce or hash added an extra layer of security to the site server and the client-server.
The bug has been claimed to be identified and reported a year ago, but no action was taken. The bug has been classified as medium severity and was rated 6.5 on the CVSS scale. The bug is a massive vulnerability, but for successfully implementing the attack, the attackers need to get the malicious script called from the site from where the trust is broken. It is quite challenging to get that access, but once it’s gained, the security is compromised by the attacker.
The websites primarily rely on CSP to handle third-party interventions. This may make them complacent enough to give the browser the comfort to allow some codes or scripts from outside sources.
The situation worsens because the chrome browser alone dominates almost about 65% of the browser market, which implies that a massive number of websites and users were vulnerable to the flaw before the update.
Although there have been no reports of the data breach until now, there is always a possibility of them arising in the future.