Buzz
In the Chrome 68 release, Google marks all non-HTTPS websites as 'Not Secure,' making the browser a safer place for Internet users.
Recently, Ron Masas, a security researcher at Imperva, found a vulnerability in the web browser that could allow attackers to uncover everything, information on the web platform, including data known by Google and Facebook. The main purpose of the attacker is to deceive users into visiting the website.
Security vulnerability CVE-2018-6177 exploits the weakness of HTML audio/video tags, affecting all web browsers supported by the Blink Engine, including Google Chrome.
To illustrate the attack scenario, a security researcher provides an example using Facebook, the most popular social media platform that gathers in-depth user information, including age, gender, geographical location, and user interests.
The targeted advertising feature on Facebook provides information to page Admins, enabling them to identify the targeted audience or restrict specific posts based on age, geographical location, gender, and interests. Learn how to create a Facebook fan page here.
How does the browser attack method work?
To demonstrate vulnerability, a researcher conducted a series of Facebook posts targeting restricted users to categorize victims by age, location, interests, or gender.
If a website embeds all Facebook posts onto a webpage, it will load and display specific posts and visitor traffic based on Facebook profile data matching the restricted audience settings.
For example, if a post is set to display only for Facebook users aged 26, male, interested in exploration, the information security researcher's post has been successfully loaded, allowing the attacker to potentially uncover personal information of visitors, even if they have privacy settings enabled.
Although the concept seems fairly straightforward, there is currently no way for page Admins to determine whether their embedded posts have been successfully loaded for a specific visitor.
Fortunately, thanks to Cross-Origin Resource Sharing (CORS), the browser's security mechanism prevents websites from embedding content from other sites without explicit permission.
However, Imperva researchers also found that HTML audio and video tags do not authenticate content types when fetching or reject responses with invalid MIME types. Attackers can use multiple hidden video or audio tags on a website to request posts on Facebook.
Although this method doesn't display Facebook posts as intended, it allows attackers to control the size of the original resource (using JavaScript) and the number of requests to identify specific posts accessed by individual Facebook visitors.
Researchers note that running multiple scripts simultaneously, limited to specific age groups, allows attackers to exploit large amounts of personal user data.
Another member in Google's security team also pointed out that the vulnerability could counteract websites using APIs to fetch specific information for user sessions.
The key point is that this vulnerability shares similarities with those discovered in other browsers back in June, primarily exploiting weaknesses in web browsers handling cross-domain requests for video and audio files, allowing attackers to read the content of emails and private messages on Gmail or Facebook.
To secure your Facebook account, in addition to setting a strong password, it's advisable to enable Facebook two-factor authentication using your phone. Learn the steps for Facebook two-factor authentication here.
Imperva researchers also reported the security vulnerability and provided Proof of Concept evidence to Google. The Chrome development team has addressed the issue in the Chrome 68 release. Chrome users are advised to update to the latest version as soon as possible.
There is current information indicating that Google is enhancing its search filters to automatically display related subtopics when users search on browsers like Chrome, Firefox, and more. For details, check out Google's search filter refinement here
