Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

2020-08-11 08:18

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy rules since Chrome 73.

Tracked as CVE-2020-6519, the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites.

After the findings were disclosed to Google, the Chrome team issued a fix for the vulnerability in Chrome 84 update that began rolling out on July 14 last month.

Given that CSP is the primary method used by website owners to enforce data security policies and prevent the execution of malicious scripts, a CSP bypass can effectively put user data at risk.

It's worth noting that websites like Twitter, Github, LinkedIn, Google Play Store, Yahoo's Login Page, PayPal, and Yandex were not found vulnerable since the CSP policies were implemented using a nonce or hash to allow the execution of inline scripts.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/XTzNQ5YLZlg/chrome-csp-bypass.html

#browser #bypass #chrome #google #googlechrome #hacker #WEB #CVE-2020-6519

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2020-07-22	CVE-2020-6519	Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page. network low complexity google debian opensuse fedoraproject	6.5

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		140	994	4863	2810	1621	10288

News URL

Related news

Related Vulnerability

Related vendor