Security News > 2020 > August > Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers
![Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers](/static/build/img/news/google-chrome-bug-could-let-hackers-bypass-csp-protection-update-web-browsers.jpg)
Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy rules since Chrome 73.
Tracked as CVE-2020-6519, the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites.
After the findings were disclosed to Google, the Chrome team issued a fix for the vulnerability in Chrome 84 update that began rolling out on July 14 last month.
Given that CSP is the primary method used by website owners to enforce data security policies and prevent the execution of malicious scripts, a CSP bypass can effectively put user data at risk.
It's worth noting that websites like Twitter, Github, LinkedIn, Google Play Store, Yahoo's Login Page, PayPal, and Yandex were not found vulnerable since the CSP policies were implemented using a nonce or hash to allow the execution of inline scripts.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/XTzNQ5YLZlg/chrome-csp-bypass.html
Related news
- Google Chrome to let Isolated Web App access sensitive USB devices (source)
- Google Chrome reduced cookie requests to improve performance (source)
- New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems (source)
- Fake Google Chrome errors trick you into running malicious PowerShell scripts (source)
- Google Chrome now warns about risky password-protected archives (source)
- Google Chrome now asks for passwords to scan protected archives (source)
- Oops. Apple relied on bad code while flaming Google Chrome's Topics ad tech (source)
- Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells (source)
- Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests (source)
- Hackers target new MOVEit Transfer critical auth bypass bug (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-07-22 | CVE-2020-6519 | Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page. | 6.5 |