Imperva uncovers Google Chrome vulnerability
The hole has been fixed, but only for those using the latest version of Chrome
Imperva has discovered a Google Chrome vulnerability that could potentially allow malicious actors to hack into users' computers to find sensitive information from Facebook and other personal platforms.
The bug researchers unearthed use the Blink engine in Google Chrome to break into the browser. Although the vulnerability has apparently been fixed with the latest update to Google Chrome, 58% of Chrome users haven't updated their browsers, leaving them exposed to the vulnerability.
"Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings," said Ron Masas, a researcher at security firm Imperva. "With several scripts running at once each testing a different and unique restriction the bad actor can relatively quickly mine a good amount of private data about the user."
Imperva explained the security hole takes advantage of Audio/Video HTML tags to generate requests to a target resource. It watches the actions made to the resource and then poses questions to the browser about its user based upon the pages it's accessed, requiring yes or no answers.
So if someone visits the site (such as Facebook), hidden video or audio tags will be implemented into the browser. It will then request Facebook posts the attacker has planted and can then analyse the victim's personal data including information such as their age as it's saved on Facebook.
"For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size," Masas said. "The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook's Graph Search endpoints."
Google patched the security hole in Chrome 68's release after being advised about the potential problem by Imperva's researchers.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Security best practices for PostgreSQL
Securing data with PostgreSQLDownload now
Transform your MSP business into a money-making machine
Benefits and challenges of a recurring revenue modelDownload now
The care and feeding of cloud
How to support cloud infrastructure post-migrationWatch now