Imperva uncovers Google Chrome vulnerability

The hole has been fixed, but only for those using the latest version of Chrome

Imperva has discovered a Google Chrome vulnerability that could potentially allow malicious actors to hack into users' computers to find sensitive information from Facebook and other personal platforms.

The bug researchers unearthed use the Blink engine in Google Chrome to break into the browser. Although the vulnerability has apparently been fixed with the latest update to Google Chrome, 58% of Chrome users haven't updated their browsers, leaving them exposed to the vulnerability.

"Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings," said Ron Masas, a researcher at security firm Imperva. "With several scripts running at once each testing a different and unique restriction the bad actor can relatively quickly mine a good amount of private data about the user."

Imperva explained the security hole takes advantage of Audio/Video HTML tags to generate requests to a target resource. It watches the actions made to the resource and then poses questions to the browser about its user based upon the pages it's accessed, requiring yes or no answers.

Advertisement - Article continues below
Advertisement - Article continues below

So if someone visits the site (such as Facebook), hidden video or audio tags will be implemented into the browser. It will then request Facebook posts the attacker has planted and can then analyse the victim's personal data including information such as their age as it's saved on Facebook.

"For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size," Masas said. "The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook's Graph Search endpoints."

Google patched the security hole in Chrome 68's release after being advised about the potential problem by Imperva's researchers.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Most Popular

Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019

Patch issued for critical Windows bug

11 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019