Imperva uncovers Google Chrome vulnerability
The hole has been fixed, but only for those using the latest version of Chrome
Imperva has discovered a Google Chrome vulnerability that could potentially allow malicious actors to hack into users' computers to find sensitive information from Facebook and other personal platforms.
The bug researchers unearthed use the Blink engine in Google Chrome to break into the browser. Although the vulnerability has apparently been fixed with the latest update to Google Chrome, 58% of Chrome users haven't updated their browsers, leaving them exposed to the vulnerability.
"Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings," said Ron Masas, a researcher at security firm Imperva. "With several scripts running at once each testing a different and unique restriction the bad actor can relatively quickly mine a good amount of private data about the user."
Imperva explained the security hole takes advantage of Audio/Video HTML tags to generate requests to a target resource. It watches the actions made to the resource and then poses questions to the browser about its user based upon the pages it's accessed, requiring yes or no answers.
So if someone visits the site (such as Facebook), hidden video or audio tags will be implemented into the browser. It will then request Facebook posts the attacker has planted and can then analyse the victim's personal data including information such as their age as it's saved on Facebook.
"For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size," Masas said. "The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook's Graph Search endpoints."
Google patched the security hole in Chrome 68's release after being advised about the potential problem by Imperva's researchers.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.