How Did This Chrome Bug Expose User Facebook Details?
The new release of browser Chrome 68 from Google marks all non-HTTPS website as Not Secure, thus cautioning the user that they are on the website at their own risk. The original article on hackernews.com revealed this interesting information.
If your website is still not certified SSL with HTTPS then here you have all the reason why your website will be isolated or declared not-secured. Switch to the latest and comply your website to match the recently released Chrome web browser.
The vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website,” said Ron Masas, a security researcher from Imperva. The vulnerability, identified as CVE-2018-6177, takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by “Blink Engine,” including Google Chrome.
The researcher took an example of Facebook to illustrate the attack scenario, by going to a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (location data) and interests, about what you like and what you don’t.
You must be aware of Facebook offering post targeting feature to page administrators, allowing them to define a targeted or restricted audience for specific posts based on their age, location, gender, and interest.
To exhibit the vulnerability the researchers made various Facebook posts on different moods and subjects for certain groups of the audience to sort their victims as per their age, area, intrigue or sexual orientation.
Right now, if a site takes all these Facebook posts on a web page, it will load and show just a couple of particular posts at the guests’ end in light of people’s profile information on Facebook that matches limited audience settings.
For instance, if a post—is set to be visible only to people the Facebook user with age 26, male, having enthusiasm for hacking or Information Security—was stacked effectively, an aggressor can conceivably learn individual data on guests, paying little heed to their protection settings.
Though the idea sounds exciting and quite simple, there are no direct ways available for site administrators to determine whether an embedded post was loaded successfully for a specific visitor or not.
Thanks to Cross-Origin Source Sharing (CORS) —a browser security mechanism that prevents a website from reading the content of other sites without their explicit permission. However, Imperva researcher found that since audio and video HTML tags don’t validate the content type of fetched resources or reject responses with invalid MIME types, an attacker can use multiple hidden video or audio tags on a website to request Facebook posts.
Though this method doesn’t display Facebook posts as intended, it does allow the attacker-controlled website to measure (using JavaScript) the size of cross-origin resources and number of requests to find out which specific posts were successfully fetched from Facebook for an individual visitor.
A Google security group has likewise pointed out that the vulnerability could likewise conflict with web sites utilizing APIs to search user session on particular data.
The centre of this vulnerability has a few similarity with another bug that was fixed in June this year, which misused a vulnerability in how internet browsers handle cross-origin solicitations to video and sound documents, enabling hackers to peruse the substance of your Gmail or private Facebook messages.
So, Chrome users are strongly recommended to update their browser to the latest version, if they haven’t yet. Researchers reported that the vulnerability to Google with a proof of idea abuse, and the Chrome group fixed the issue in the recently released Chrome 68.