It is recommended to change to the latest version of the browser
With the launching of Chrome 68, Google identifies any non-HTTPS web site as ‘unsafe’ to make Internet browsing a safer experience. If this is not reason enough to switch to the latest version of the browser, here are more reasons: cyber security organization experts have discovered a vulnerability in web browsers that could allow a hacker to find all that other web platforms, such as Facebook and Google, know about you, and all they need is for you to visit a website.
The vulnerability, identified as CVE-2018-6177, exploits a weakness in the HTML audio and video tags and affects all web browsers powered by “Blink Engine”, including Google Chrome.
To describe the scenario, cyber security organization experts showed a Facebook example, the popular social networking platform that collects comprehensive information about their users, including their age, sex, location data and interests.
Facebook offers a targeting feature for guiding posts, allowing administrators to define a specific audience for posts based on age, location, sex and interests. To demonstrate the vulnerability, multiple posts were created on Facebook with different combinations of audience restrictions to categorize victims according to these criteria.
Now, if a website incorporates all of these Facebook posts, the site will upload and display only a few visitor-specific publications, based on the profile data of Facebook users that match the restricted audience settings.
For example, if a post – defined to be visible only to Facebook users with 26 years old, males, with interest in hacking or cyber security organization, was successfully loaded, an attacker would have the ability to deduct personal information from users, no matter the privacy settings of user’s profiles.
Even though the idea sounds rather simple, there are no direct ways available for site administrators to determine whether an embedded publication was successfully loaded for a specific visitor or not.
A member of the Google security team pointed out that the vulnerability could also work against websites that use APIs to get user specific session information.
The core of this vulnerability has some similarities with another browser error, patched in June this year, which exploited a weakness in the way web browsers handle cross-source requests to video and audio files, allowing Attackers access Gmail or private Facebook content.
Cyber security organization researchers reported the vulnerability to Google with a proof of concept of the exploit, and the team of Chrome patched the vulnerability in the Chrome 68 version. Therefore, it is strongly recommended that Chrome users update their browser to the latest version, if they have not yet done so, to stay safe from the possible Facebook information leaking.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.