Google Chrome: Bug enables data theft

[German]In all Chromium browsers (Google Chrome, Edge, Opera) there is a fat bug CVE-2020-6519, which introduces a vulnerability that allows attackers to bypass the Content Security Policy (CSP) protection and steal data from website visitors.


The bug  has been described in the Chromium-Tracker since March 2020 – but I became aware of the issue via the following tweet.

Chrome  before version 84 affected

The bug (CVE-2020-6519) was found in Chrome, Opera and Edge, on Windows, Mac and Android. Security researcher Gal Weizman has now disclosed the whole thing here. The security researcher was very surprised when he discovered this zero-day vulnerability in Chrome-based browsers – Chrome, Opera, Edge – on Windows, Mac and Android. The bug allowed attackers to completely bypass the CSP rules of Chrome versions 73 (March 2019) through 83 (July 2020). Only Chrome 84 fixes this vulnerability.

To better understand the extent of this vulnerability: The number of potentially affected users is in the billions, because Chrome alone has over two billion users. Some of the most popular sites on the web, such as Facebook, WellsFargo, Gmail, Zoom, Tiktok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora, and others are vulnerable to this vulnerability.

CSP, what is it?

The Content Security Policy (CSP) is basically a set of rules set by the website, which the browser here has to respect and enforce on behalf of the website. These rules allow the website to prompt the browser to block/allow certain request calls, certain types of Javascript code execution, and more, thereby increasing the safety of website visitors and protecting them from potentially infiltrated malicious scripts or cross-site scripting (XSS). 


A vulnerability in the CSP does not directly imply a privacy violation, as the attacker must also be able to get the malicious script to be called from the website (which is why the vulnerability has been classified as a moderate vulnerability).

How to bypass CSP with one line

Gal Weizman has succeeded in breaking the CSP with a one-liner – as he writes in this blog post. It is sufficient to use an iFrame tag. Weizmann then published a proof of concept.  So users should update to version 84 of the Chrome Browser or a Chromium Clone as soon as possible.

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security, Software, Virtualization and tagged , . Bookmark the permalink.

1 Response to Google Chrome: Bug enables data theft

  1. Chris Pugson says:

    I guess that this is why BrowserAudit showed critical vulnerabilities for Google Chrome prior to version 84. These are now absent and only warnings are shown.

    For a very long time, Firefox has shown a much superior performance, compared with Google Chrome and other Chrome browsers, under the examination of BrowserAudit. Firefox presently shows 3 warnings compared with Chrome’s 15 and has not shown a single critical notification for a very long time. That the future of Mozilla is now in doubt, thanks to COVID-19, is extremely worrying.

    I hope that Mozilla can renew its contract with Google thus allowing it to continue to make Google the default search engine in Firefox. This contract is said to be critical for Mozilla’s financial survival.

Leave a Reply

Your email address will not be published. Required fields are marked *