Billions of Users Affected with Google Chrome Zero-Day That Allow Attackers To Fully Bypass CSP Rules

Recently, the security expert at PerimeterX, Gal Weizman has detected a Zero-day flaw in Google Chrome Browser that lets the attackers entirely bypass CSP rules, and this vulnerability was assigned as CVE-2020-6519.

Weizman said that “it was quite surprised him, when he identified that Zero-day vulnerability has been affecting the Chromium-based browsers like Chrome, Opera, Edge – on Windows, Mac, and Android. And more importantly, they are allowing the attackers to completely bypass the CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020).”

CSP is the initial approach that are utilized by the website owners to implement data security policies and to stop ill-disposed Shadow Code executions on their website.

Moreover, this issue is quite severe, as Chrome is the most popularly used web browser currently, and it has nearly two billion users and dominating the web browser business with more than 65% part. 

What is the Potential Impact?

CSP is a skill that has a set of rules that are set by the website, but the role of the browser is to recognize and support all the rules in the name of the website. 

All these rules can help the user to ask the browser to either block or allow particular application calls, specific types of javascript code execution, and many more. 

Doing this ensures the more robust security for site visitors and shield them from potential implanted ill-disposed scripts or any cross-site-scripting (XSS). 

So, having this CSP enforcement mechanism does not imply that it has been affected by the threat actor, as all the hackers are required to get the ill-disposed script that are being called from the site.

Break CSP Down Completely With A One-Liner

According to the PerimeterX report, anybody can have a check on the POC files as published to the Google Chrome project formerly. Especially those who are interested in the vulnerability and want to see how it’s going to run or how does it operate.

Usually, an effort to encompass the subsequent JS code will be checked, or it may be blocked by the browser when the site’s CSP setting rejects the source or activities that are performed by the strings. 

Operating the same JS code by javascript, “src of an iframe” will completely bypass the configured CSP rules on that website, and CSP can be broken entirely by a one-liner.

Advisories Suggested by the Security Experts

  • Make sure that your CSP policies are properly established.
  • Along with CSP add few additional layers of security, as CSP alone is not enough. 
  • Ensure that your Chrome browser version is 84 or higher than 84.

However, Google is trying to help the victims, and they affirmed that they are still examining the whole attack and hoping to get all the links that are used by the threat actors.

Along with Google, PerimeterX is also trying its best to find out all possible applications that are being attacked and suggested the users to be cautious about all information and execution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.