Google Chrome, Microsoft Edge Flaws Leave Open to Attack Billions

Google Chrome, Microsoft Edge Flaws Leave Open to Attack Billions

Billions of Internet users are under threat of cyber attacks due to a security flaw affecting Chromium-based web browsers on Windows, Mac, and Android, including Google Chrome and Microsoft Edge.

Gal Weizman, a security researcher at PerimeterX, disclosed a vulnerability that allows hackers to circumvent the content security policies (CSPs) of various websites.

Circumventing the CSP means that an attacker can access user data or insert malicious code into a website on a vulnerable browser.

Weitzman explained in a blog post that the flaw would allow hackers to "completely bypass Chrome's version 73 (March 2019) through 83 (July 2020) CSP rules."

He said: "To better understand the magnitude of this vulnerability - there are billions of potentially affected users, Chrome has over 2 billion users, on the one hand, accounting for over 65% of the browser market, on the other hand some of the most popular sites on the web are vulnerability)."

Weitzman further explained that CSPs are "the primary method used by website owners to enforce their data security policies to prevent the execution of malicious shadow code on their websites, so when browser enforcement is bypassed, personal user data is exposed," he explained.

Essentially, CSPs allow domain administrators to specify which other domains can serve executable scripts on their web pages. This is an effective way to block cross-site scripting and other common browser-based attacks.

However, because of this flaw, "Facebook, Wells Fargo, Gmail, Zoom, TikTok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora Users of high-profile websites are at risk of cyber attacks.

If hackers wanted to take advantage of this problem, they would have to break into the target websites' servers, make changes to the JavaScript of the web pages, and insert malicious code.

Wiseman added, "In addition to the above sites (representing over 2.5 billion users), thousands of websites across industries including e-commerce, banking, telecommunications, government, and utilities were left unprotected from a scenario in which hackers successfully injected malicious code and estimated to be safe," he added.

The flaw was fixed in Chromium 84, released on July 14; if you have not yet updated your Chromium-based browser, do so now.

Click the menu icon in the upper right corner of the browser window, scroll to the "Help" section, hover your cursor over it, and select "About" from the slide-out menu. (Some browsers have a separate "About" section.) You will then be prompted to update your browser.

In addition to Brave, Chrome, Edge, Opera, and Vivaldi, Chromium-based browsers include Amazon Silk and the Yandex browser.

Jake Moore, a security specialist at ESET, told Tom's Guide, "It's important to make it as difficult as possible for threat actors to break into our accounts and steal our information. As with most thefts, criminals first target those with minimal security or low awareness."

"Using unique, strong passwords and making sure your browser is up to date will help mitigate many such attacks," Moore recommends.

"Protecting yourself with password generators for all your accounts makes it much harder for hackers to break in through brute force.

Categories