Billions of internet users are exposed to the threat of cyberattacks as the result of a security flaw affecting Chromium-based web browsers, including Google Chrome and Microsoft Edge, on Windows, Mac and Android.
Gal Weizman, a security researcher at PerimeterX, disclosed a vulnerability that let hackers get around the Content Security Policy (CSP) of various websites.
- The best antivirus software to keep you and your devices safe
- Best VPN: add an extra layer of security with a virtual private network
- Just in: TikTok secretly tracked millions of Android users
Inserting malicious code
Evading CSP means attackers can access user data and insert malicious code into websites on vulnerable browsers, which besides Chrome and Edge include Brave, Opera and Vivaldi across various operating systems.
In a blog post (opens in new tab), Weizman explained that the flaw makes it possible for hackers to “fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020)".
He said: “To better understand the magnitude of this vulnerability - the potentially impacted users are in the billions, with Chrome having over two billion users, and more than 65% of the browser market on one hand, and some of the most popular sites on the web being vulnerable to this [vulnerability] on the other hand."
Weizman went on to explain that CSP is “the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk.”
Basically, CSP lets domain administrators specify which other domains can contribute executable scripts to a web page. It's an effective way to block cross-site-scripting and other common browser-based attacks.
High-profile websites were vulnerable
But due to this flaw, the users of high-profile websites like “Facebook, Wells Fargo, Gmail , Zoom, TikTok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger and Quora” are put at risk of cyber attacks.
Weizman added: “Besides the sites mentioned above (representing more than 2.5 billion users), it is safe to estimate that thousands of websites across industries, including e-commerce, banking, telecommunications, government, and utilities were left unprotected from a scenario where hackers managed to inject malicious code into them.”
What to do
The flaw was fixed with Chromium 84, released July 14. If you haven't updated your Chromium-based browser since, do so now.
Click the menu icon in the upper right of your browser window, and scroll down to the Help section and hover, then select About in the slide-out menu. (Some browsers have the About section as a stand-alone.) That will prompt your browser to update itself.
In addition to Brave, Chrome, Edge, Opera and Vivaldi, other browsers based on Chromium include Amazon Silk and the Yandex browser.
"It is important that we make it as difficult as possible for threat actors to hack into our accounts or steal our information," Jake Moore, a security specialist at ESET, told Tom’s Guide. "Similar to many thefts, offenders will target those with minimal security or lack of awareness first as it is far easier to hit those low-hanging fruit.”
“Using unique and strong passwords and making sure your browser is up to date can help mitigate many attacks like this one," Moore recommends. "By protecting yourself with a password generator for all of your accounts will make it extremely difficult for hackers to brute force their way in.”
- More: Stay anonymous without the spend with a cheap VPN