GOOGLE HAS PLUGGED a bug in Chrome that affected all of its users and could have enabled hackers to abuse video and audio HTML tags to steal data from victims.
The bug was based around side channel methodology and abused filtering functions in websites, according to Ron Masas, a security researcher at Imperva who discovered the vulnerability in a browser running the Blink engine, of which Chrome is a primary user.
"The flaw we discovered could have serious implications to Google Chrome users as it puts their personal data at risk of being accessed by those with malicious intent," said Masas.
"Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings. We reported the vulnerability to Google as soon as we had a clear understanding of its impact and the Chrome team has since responded with a patch for its users.
The bug could have been exploited through the generation of aforementioned HTML tags when a Chrome user visits a malicious site, which then generates requests to a specific targeted data resource the monitors the responses to figure out the size of that resource.
From there, that information can be queried with a series of yes or no questions about the browser user by effectively messing with the filtering option social media sites like Facebook apply.
"For example, a bad actor can create sizable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size. The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook's Graph Search endpoints," explained Masas.
"Large response size would indicate that the restriction didn't apply, while small ones would indicate that the content was restricted. Meaning, for instance, that the user is from a disallowed age or gender. With several scripts running at once — each testing a different and unique restriction -, the bad actor can relatively quickly mine a good amount of private data about the user."
He noted that in more serious circumstances, the bug could have been exploited with attack scripts running on a site that requires some form of email registration and allow a hacker to match private data with the login email addresses of a user to say an e-commerce site.
But there's no point worrying about the bug as it's now been thoroughly squashed. But it's just another example of how software gremlins can lurk behind even the most well used and prominent browsers developed by billion-dollar firms with their own security teams. µ
But it might never see the light of a PC bay
It's nothing we haven't seen before, but it's still the best iPhone yet
Firm gives scanner flaw the finger
Ermine is the same but stoat-ally different