- A bug that could collect sensitive information about victims was discovered in Chrome.
- Google patched up Chrome and released a new updated.
Google has recently patched a big vulnerability in Chrome that allowed attackers to gather info from other sites via audio or video HTML tags. If you haven’t updated to Chrome 68 yet, it’s high time you did that.
The bug (known as CVE-2018-6177) was discovered by a security researcher from Imperva and was reported back to Google back in March. The Chrome makers fixed it up a couple of weeks ago, along with the release of a new Chrome update – v68.0.3440.75.
So, how does this attack work? Users could be lured to a malicious website via malvertising or various other vulnerabilities on legitimate sites. Then, when the user visited that site, it injects multiple hidden video or audio HTML tags that request older Facebook post written by the victim. The attacker then analyzed the information and figured out the user’s exact age, for instance, even if that information is not public on the profile. Other types of sensitive data could also be gathered in this way and used against the victims in other types of targeted attacks.
“With several scripts running at once — each testing a different and unique restriction –, the bad actor can relatively quickly mine a good amount of private data about the user,” researcher Ron Masas writes in his blog post.
This type of attack can have a significant impact on regular users, but it can also be used against corporations to gain access to intranets, and other applications used within the company, thus resulting in more sensitive data.
So, you can check to see if you have that version or higher by going to Chrome Settings -> About Chrome, and checking if you need to run an update or not. You probably don’t have anything to worry about unless you’ve jumped through hoops to disable automated updates via Microsoft’s interface.