Google Chrome, Microsoft Edge flaws leave billions open to attack

Google Chrome app
(Image credit: Big Tuna Online/Shutterstock)

Billions of internet users are exposed to the threat of cyberattacks as the result of a security flaw affecting Chromium-based web browsers, including Google Chrome and Microsoft Edge, on Windows, Mac and Android.

Gal Weizman, a security researcher at PerimeterX, disclosed a vulnerability that let hackers get around the Content Security Policy (CSP) of various websites.

Inserting malicious code

Evading CSP means attackers can access user data and insert malicious code into websites on vulnerable browsers, which besides Chrome and Edge include Brave, Opera and Vivaldi across various operating systems. 

In a blog post, Weizman explained that the flaw makes it possible for hackers to “fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020)".

He said: “To better understand the magnitude of this vulnerability - the potentially impacted users are in the billions, with Chrome having over two billion users, and more than 65% of the browser market on one hand, and some of the most popular sites on the web being vulnerable to this [vulnerability] on the other hand."

Weizman went on to explain that CSP is “the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk.”

Basically, CSP lets domain administrators specify which other domains can contribute executable scripts to a web page. It's an effective way to block cross-site-scripting and other common browser-based attacks.

High-profile websites were vulnerable

But due to this flaw, the users of high-profile websites like “Facebook, Wells Fargo, Gmail , Zoom, TikTok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger and Quora” are put at risk of cyber attacks.

If a hacker wanted to take advantage of this issue, he or she would have to break into the server of a targeted website, make changes to web pages' JavaScript and insert malicious code. 

Weizman added: “Besides the sites mentioned above (representing more than 2.5 billion users), it is safe to estimate that thousands of websites across industries, including e-commerce, banking, telecommunications, government, and utilities were left unprotected from a scenario where hackers managed to inject malicious code into them.”

What to do 

The flaw was fixed with Chromium 84, released July 14. If you haven't updated your Chromium-based browser since, do so now. 

Click the menu icon in the upper right of your browser window, and scroll down to the Help section and hover, then select About in the slide-out menu. (Some browsers have the About section as a stand-alone.) That will prompt your browser to update itself.

In addition to Brave, Chrome, Edge, Opera and Vivaldi, other browsers based on Chromium include Amazon Silk and the Yandex browser.

"It is important that we make it as difficult as possible for threat actors to hack into our accounts or steal our information," Jake Moore, a security specialist at ESET, told Tom’s Guide. "Similar to many thefts, offenders will target those with minimal security or lack of awareness first as it is far easier to hit those low-hanging fruit.”

“Using unique and strong passwords and making sure your browser is up to date can help mitigate many attacks like this one," Moore recommends. "By protecting yourself with a password generator for all of your accounts will make it extremely difficult for hackers to brute force their way in.”

  • More: Stay anonymous without the spend with a cheap VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!