PerimeterX cybersecurity researcher Gal Weizman discovered a vulnerability CVE-2020-6519 in Chromium based browsers - Chrome, Opera and Edge - on Windows, Mac and Android that allowed attackers to fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020). Since this vulnerability was found in Chrome - the most widely used browser today with over two billion users and more than 65% of the browser market - the implications are huge. CSP is the primary method used by website owners to enforce data security policies to prevent malicious Shadow Code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk.
Other than a handful of websites that were not impacted from this vulnerability due to enhanced CSP policies controlled on the server side, many websites were susceptible to CSP bypass and potential malicious script execution. These include some of the largest websites in the world such as Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger and Quora. When combined with the increasing ease by which the attackers gain unauthorized access to web servers, this CSP bypass vulnerability had the potential for massive data breaches. This means that billions of users were potentially at risk of their data being breached by malicious code that bypassed the sites’ security policies.
For the technical details of the vulnerability, you can go here.
What is CSP?
Vulnerability and the risk of data breaches
Having a vulnerability in Chrome’s CSP enforcement mechanism doesn’t directly result in a site being breached. The attackers also need to get the malicious script called from the site. This factor resulted in a “medium severity” classification for this vulnerability.
However, having a vulnerability in a security mechanism that is trusted by websites to enforce stricter policies on third party scripts has vast implications. It is analogous to having a problem with your car’s safety equipment. Having a seat belt, airbags and collision sensors allows you to safely drive faster, and perhaps drive in ways you wouldn’t do in the absence of such equipment. As a result of this increased perception of safety, the damage caused in an accident when this equipment is faulty is much more severe. In a similar way, website developers may allow third party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.
Summary of the CVE
Here is a short summary of the vulnerability in Chrome versions prior to 84 and what it takes to achieve CSP bypass:
For the complete details please refer to the technical blog by Gal.
Advice for website owners and users
Since this vulnerability was present in Chrome browsers for over a year, the full implications are not yet known. It is highly likely that we will learn of data breaches in the coming months that exploited it and resulted in the exfiltration of personally identifiable information (PII) for nefarious purposes. It is not too late, however, to take action.
If you are a website owner, we recommend that you:
- Ensure your CSP policies are well defined. Read our technical blog for more details on how to use nonce and hash capabilities of CSP.
If you are a website user - yes that is EVERYONE these days - we recommend that you:
- Ensure you are running Chrome browser version 84 or higher. You can do this by selecting “About Google Chrome” from the Chrome menu item in your browser. To upgrade your browser, click here.
Researchers at PerimeterX continue to dig deeper into application security technologies to make the online experience safer for users. Understanding the risks posed by Shadow Code, and strategizing now to protect your website and web apps is required to prevent client-side data breaches and associated compliance penalties.
For more information on protecting your digital business from Shadow Code, get a complimentary 1-on-1 consultation with a certified client-side security architect here.