Google's developers have fixed a vulnerability in the Chrome browser, through which cybercriminals received secret information from other sites through audio and video HTML tags. Security researcher Ron Masas from Imperva identified the problem associated with the vulnerability of CVE-2018-6177, and in late July 2018 in Chrome 68 installed a security code.
According to the researcher, a cyber attack requires malicious code that downloads content from legitimate sites inside audio and video HTML tags. An attacker can determine the size of responses received from sites, and guess the various types of information. In the normal situation, this is not possible due to the CORS function, which prevents sites from downloading resources from other web pages, but the program is able to bypass protection.
Cybercriminals could get data on the sex and age of users using the Audience Restriction function in the settings of Facebook. According to Masas, collecting answers through social networks,hacker can consistently receive valuable personal information.
Another Internet security specialist, Mike Gualtieri, believes that when attacking, hacker can use a more creative approach than collecting data from Facebook users. For example, use corporate backend, intranet and corporate web applications. Thanks to the bug, the ability to send requests has appeared, so an attack on the API can also be successful.
Experts strongly recommend to update Chrome to v68.0.3440.75 or newer in order to prevent vulnerability.