Chrome exposes billions of users to the risk of data theft, as a vulnerability in Google‘s Chromium-based browsers allows attackers to bypass a content security policy (CSP) on websites in order to implement deceptive code.
The error (CVE-2020-6519) was found in (Chrome), (Opera) and (Edge) browsers on Windows, Android and Mac. According to cybersecurity researcher Gal Weizman, this vulnerability has the potential to affect billions of users.
Chrome releases are affected from version 73 (released in March 2019) until version 83 (version 84 was released in July and the issue was fixed).
A content security policy (CSP) is a web standard intended to thwart certain types of attacks, including cross-site scripting (XSS) and data injection attacks.
The CSP standard allows web administrators to specify domains that a browser should consider valid sources for executable scripts. The CSP-compliant browser executes the scripts loaded into source files received from those domains.
“The CSP standard is the primary method used by website owners to enforce data security policies to prevent malicious code executions on their website, and when policies can be overridden, personal user data is at risk” Weizman said in research published Monday.
The researcher pointed out that most websites use (CSP), including internet giants, such as Facebook, Gmail, Instagram and WhatsApp.
Some prominent names were not affected, including (GitHub), Google Play Store, LinkedIn, Paypal, Twitter, and the Yahoo and Yandex login page.
The vulnerability is classified as a moderate problem – 6.5 out of 10 on the CvSS scale – but given that it affects the implementation of the CSP standard, this means that it has major implications, and Weizmann compared it to the problem of seat belts and airbags in the car.