Chrome CSP bypass zero-day vulnerability – Update your web browsers

September 3, 2020
google chrome csp vulnerability Content Security Policy

It is the best time to update your browsers to the latest available version because Cybersecurity Researchers had just disclosed a zero-day vulnerability that would enable hackers and cyber-attacks to completely bypass Content Security Policy (CSP) rules. Known as CVE-2020-6519 vulnerability, the flaw that affects Google Chrome version 84.0.4147.89 and lower would allow a remote attacker the bypass using a maliciously coded HTML page embedded on hacked and compromised websites. The webpage would enable remote installation of malware and scripts into a user’s workstation unknowingly.

The majority of the most popular websites are found to be susceptive to the said exploit, and that includes Facebook, Zoom, ESPN, Gmail, Wells Fargo, Blogger, Roblox, Instagram, Tiktok, and Quora. Google and the Chrome team have released a patch for the vulnerability in Chrome 84 update (version 84.0.4147.89), which began rolling out last month after getting notified on the discovered security flaw.

Content Security Policy is that extra layer of security that detects and mitigates several types of cyberattacks, which include data injection attack and Cross-Site Scripting (XSS). The two types of attacks alone are used in successful hacking incidents such as website defacement, data theft, exfiltration, and distribution of financial malware and trojans.

With Browsers using the CSP rules, websites can instruct the user’s browser to run client-side checks that aim to stop specific scripts that were written to exploit the browser’s security trust on the contents being received from the server.

If ever CSP was made the primary method used and enforced by owners of websites as data security policy to prevent malicious scripts from executing, the CSP bypass vulnerability can seriously put user data at risk.

It is notable to mention that websites like LinkedIn, Twitter, Github, Google Play Store, Yahoo, PayPal, and Yandex were not susceptible to the flaw since the CSP rules and policies implementation used nonce to allow execution of inline scripts in a Content Security Policy.

The extent of the implications of this flaw vulnerability is still unknown. Hence, we at iZOOlogic strongly encourage all users to update their Google Chrome browsers to the latest patch available to avoid getting victimized by such malicious code script execution. As for the part of website administrators and owners, we recommend the implementation of nonce features of CSP as an added layer of security.

About the author

Leave a Reply