PerimeterX Researcher Finds Vulnerability in Google Chrome: Most Websites Using Content Security Policies (CSPs) Including Some of the Most Popular Sites on the Web Were at Risk

PerimeterX cybersecurity researcher Gal Weizman discovered a vulnerability CVE-2020-6519 in Chromium based browsers - Chrome, Opera and Edge - on Windows, Mac and Android that allowed attackers to fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020). Since this vulnerability was found in Chrome - the most widely used browser today with over two billion users and more than 65% of the browser market - the implications are huge. CSP is the primary method used by website owners to enforce data security policies to prevent malicious Shadow Code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk.

Other than a handful of websites that were not impacted from this vulnerability due to enhanced CSP policies controlled on the server side, many websites were susceptible to CSP bypass and potential malicious script execution. These include some of the largest websites in the world such as Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger and Quora. When combined with the increasing ease by which the attackers gain unauthorized access to web servers, this CSP bypass vulnerability had the potential for massive data breaches. This means that billions of users were potentially at risk of their data being breached by malicious code that bypassed the sites’ security policies.

For the technical details of the vulnerability, you can go here.

What is CSP?

CSP is a capability defined by the World Wide Web Consortium as part of the web standards that direct the browser to enforce certain client-side policies. With CSP rules, the website can direct the browser to block or allow specific requests including specific types of JavaScript code execution. This ensures stronger security for site visitors and protects them from malicious scripts. Developers use CSP to protect their applications from Shadow Code injection vulnerabilities and cross-site scripting (XSS) attacks, and to reduce the privilege with which their applications execute. Web application owners define the CSP policies for their site that are then enforced by the browser. CSP is supported by most common browsers including Chrome, Safari, Firefox and Edge, and are critical in protecting the client-side execution of Shadow Code.

Vulnerability and the risk of data breaches

Having a vulnerability in Chrome’s CSP enforcement mechanism doesn’t directly result in a site being breached. The attackers also need to get the malicious script called from the site. This factor resulted in a “medium severity” classification for this vulnerability.

However, having a vulnerability in a security mechanism that is trusted by websites to enforce stricter policies on third party scripts has vast implications. It is analogous to having a problem with your car’s safety equipment. Having a seat belt, airbags and collision sensors allows you to safely drive faster, and perhaps drive in ways you wouldn’t do in the absence of such equipment. As a result of this increased perception of safety, the damage caused in an accident when this equipment is faulty is much more severe. In a similar way, website developers may allow third party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.

Summary of the CVE

Here is a short summary of the vulnerability in Chrome versions prior to 84 and what it takes to achieve CSP bypass:

• First, the attacker needs to gain access to the web server to be able to modify the javascript code it uses.
• Second, the attacker adds a frame-src or child-src directive in the javascript to allow the injected code to load and execute it, bypassing the CSP enforcement and thus bypassing the site’s policy.

For the complete details please refer to the technical blog by Gal.

Advice for website owners and users

Since this vulnerability was present in Chrome browsers for over a year, the full implications are not yet known. It is highly likely that we will learn of data breaches in the coming months that exploited it and resulted in the exfiltration of personally identifiable information (PII) for nefarious purposes. It is not too late, however, to take action.

If you are a website owner, we recommend that you:

• Ensure your CSP policies are well defined. Read our technical blog for more details on how to use nonce and hash capabilities of CSP.
• Recognize that CSP is not enough to protect websites, so consider adding layers of security like JavaScript-based detection and monitoring of Shadow Code for real-time mitigation of web page code injection.

If you are a website user - yes that is EVERYONE these days - we recommend that you:

• Ensure you are running Chrome browser version 84 or higher. You can do this by selecting “About Google Chrome” from the Chrome menu item in your browser. To upgrade your browser, click here.

Researchers at PerimeterX continue to dig deeper into application security technologies to make the online experience safer for users. Understanding the risks posed by Shadow Code, and strategizing now to protect your website and web apps is required to prevent client-side data breaches and associated compliance penalties.

For more information on protecting your digital business from Shadow Code, get a complimentary 1-on-1 consultation with a certified client-side security architect here.