The bug, discovered and described by Imperva’s security researcher Ron Masas, has been proven to reveal the personal data of Google Chrome users to hackers.
The bug may still be present on any version of Google Chrome that isn’t the latest update.
It operates via the injection of HTML tags into websites. Inserting these into Facebook, for example, allows cyber attackers to create requests for a certain demographic. These requests would be for a yes/no answer about the user’s identity.
>See also: Browser based malware: evolution and prevention
Attackers can abuse Facebook’s ‘Audience Restrictions’ function to only allow users of a certain age, gender, location and other demographics. Several of these demographic-revealing scripts can run at once.
A large amount of responses would show that the restriction selected didn’t apply, while a small response rate would indicate restrictive content.
A more serious way that the bug can be implemented is via any website that requires email registration. If the script is running while such a site is also open, e.g. an e-commerce or cloud application site, email addresses can be correlated with the personal information a user has already provided.
>See also: Overlooked email security risks and how to prevent them
After Imperva reported the bug to Google, the creators of the Chrome Internet browser swiftly patched it within its Chrome 68 update.
This is not the only recent issue with Chrome 68 that Google’s had to amend since the update’s release back in July; WiFi issues involving Chrome OS 68 caused Google to have to pull the update from some Chromebook models.
A Possible Warning Sign for CTO’s
CTO’s of businesses of any kind that use Google Chrome for work purposes may want to check that browsers on all devices are up-to-date in order to ensure that company data is protected.