[German]In all Chromium browsers (Google Chrome, Edge, Opera) there is a fat bug CVE-2020-6519, which introduces a vulnerability that allows attackers to bypass the Content Security Policy (CSP) protection and steal data from website visitors.
The bug has been described in the Chromium-Tracker since March 2020 – but I became aware of the issue via the following tweet.
Google Chrome Browser Bug Exposes Billions of Users to Data Theft https://t.co/sODBN0Sns2
— Nicolas Krassas (@Dinosn) August 11, 2020
Chrome before version 84 affected
The bug (CVE-2020-6519) was found in Chrome, Opera and Edge, on Windows, Mac and Android. Security researcher Gal Weizman has now disclosed the whole thing here. The security researcher was very surprised when he discovered this zero-day vulnerability in Chrome-based browsers – Chrome, Opera, Edge – on Windows, Mac and Android. The bug allowed attackers to completely bypass the CSP rules of Chrome versions 73 (March 2019) through 83 (July 2020). Only Chrome 84 fixes this vulnerability.
To better understand the extent of this vulnerability: The number of potentially affected users is in the billions, because Chrome alone has over two billion users. Some of the most popular sites on the web, such as Facebook, WellsFargo, Gmail, Zoom, Tiktok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora, and others are vulnerable to this vulnerability.
CSP, what is it?
A vulnerability in the CSP does not directly imply a privacy violation, as the attacker must also be able to get the malicious script to be called from the website (which is why the vulnerability has been classified as a moderate vulnerability).
How to bypass CSP with one line
Gal Weizman has succeeded in breaking the CSP with a one-liner – as he writes in this blog post. It is sufficient to use an iFrame tag. Weizmann then published a proof of concept. So users should update to version 84 of the Chrome Browser or a Chromium Clone as soon as possible.