Imperva uncovers Google Chrome vulnerability

The hole has been fixed, but only for those using the latest version of Chrome

Imperva has discovered a Google Chrome vulnerability that could potentially allow malicious actors to hack into users' computers to find sensitive information from Facebook and other personal platforms.

The bug researchers unearthed use the Blink engine in Google Chrome to break into the browser. Although the vulnerability has apparently been fixed with the latest update to Google Chrome, 58% of Chrome users haven't updated their browsers, leaving them exposed to the vulnerability.

"Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings," said Ron Masas, a researcher at security firm Imperva. "With several scripts running at once each testing a different and unique restriction the bad actor can relatively quickly mine a good amount of private data about the user."

Imperva explained the security hole takes advantage of Audio/Video HTML tags to generate requests to a target resource. It watches the actions made to the resource and then poses questions to the browser about its user based upon the pages it's accessed, requiring yes or no answers.

So if someone visits the site (such as Facebook), hidden video or audio tags will be implemented into the browser. It will then request Facebook posts the attacker has planted and can then analyse the victim's personal data including information such as their age as it's saved on Facebook.

"For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size," Masas said. "The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook's Graph Search endpoints."

Google patched the security hole in Chrome 68's release after being advised about the potential problem by Imperva's researchers.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO
Hardware

Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO

8 Apr 2021