Chrome was found in a bit of security issues lately which enabled hackers to exploit your data from Facebook. Ron masas, a security researcher from Imperva first discovered the vulnerability dubbed CVE-2018-6177, which takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by “Blink Engine,” including Google Chrome.
To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where they have been (location data), and interests, i.e., what you like and what you don’t.
Chrome known as the best browser available in the market, showed a lack of responsibility for keeping their user’s information safe.
How does the attack work?
To demonstrate the vulnerability, the researcher created an ad to gather different categories of audiences according to their age, gender, location, etc
Now, if a website embeds all these Facebook posts on a web page, it will load and display only a few specific posts at the visitors’ end based on individuals’ profile data on Facebook that matches restricted audience settings.
For example, if a post—defined to be visible only to Facebook users aged 26, male, having an interest in hacking or Information Security—was loaded successfully, an attacker can potentially learn personal information on visitors, regardless of their privacy settings.
Though the idea sounds exciting and quite simple, there are no direct ways available for site administrators to determine whether an embedded post was loaded successfully for a specific visitor or not
We should thank Cross-Origin Resource Sharing (CORS) a security protocol that prevents websites from reading other websites’ content without their permission.
However, the Imperva researcher found out that as audio and video HTML tags don’t validate the content from resources a hacker can easily use hidden audio and video tags to request any post.
The same type of bug was patched back in June which exploited the same cross-origin resource sharing(CORS) through how web browsers handle request for audio and video which allowed attackers to see your Gmail and Facebook private messages
though it still doesn’t display the Facebook posts as they are intended thanks to cross-origin resource sharing, so it’s best to check and update Chrome.
What should I do?
- Open Google Chrome.
- check if there is an option to update Chrome.
- update to Chrome latest version if available.
