PerimeterX Researcher Finds Vulnerability in Google Chrome: Most Websites Using Content Security Policies (CSPs) Including Some of the Most Popular Sites on the Web Were at Risk

PerimeterX cybersecurity researcher Gal Weizman discovered a vulnerability CVE-2020-6519 in Chromium based browsers – Chrome, Opera and Edge – on Windows, Mac and Android that allowed attackers to fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020). Since this vulnerability was found in Chrome – the most widely used browser today with over two billion users and more than 65% of the browser market – the implications are huge. CSP is the primary method used by website owners to enforce data security policies to prevent malicious Shadow Code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk.

Other than a handful of websites that were not impacted from this vulnerability due to enhanced CSP policies controlled on the server side, many websites were susceptible to CSP bypass and potential malicious script execution. These include some of the largest websites in the world such as Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger and Quora. When combined with the increasing ease by which the attackers gain unauthorized access to web servers, this CSP bypass vulnerability had the potential for massive data breaches. This means that billions of users were potentially at risk of their data being breached by malicious code that bypassed the sites’ security policies.

For the technical details of the vulnerability, you can go here.

What is CSP?

CSP is a capability defined by the World Wide Web Consortium as part of the web standards that direct the browser to enforce certain client-side policies. With CSP rules, the website can direct the browser to block or allow specific requests including specific types of JavaScript code execution. This ensures stronger security for site visitors and protects them from malicious scripts. Developers use (Read more...)