Google Chrome have fixed vulnerabilities in HTML tag stealing data

The Google Chrome development team has released some issues submitted by the new security staff, and these vulnerabilities have been disclosed in the latest version.

The number of security vulnerabilities numbered CVE-2018-6177 is more extensive, so the research team chose to fix the vulnerability before making it public.

Stealing data through HTML audio and video tags:

This vulnerability is a cross-site resource sharing vulnerability that can be used to steal data from other websites, and additional information can be detected through audio and video tags on the web page.

In principle, the browser’s security features have prohibited cross-site resource sharing to prevent theft of data, but this time the vulnerability can bypass this security policy.

In the specific implementation, the researcher said that malicious code could be inserted in the advertisement module loaded on the regular website, that is, specially made malicious advertisement code.

The researchers successfully read the sensitive data of Facebook users through this vulnerability during the test, but this kind of weakness will be more severe for enterprises to attack.

It is primarily possible to store sensitive data for stealing at specific locations for enterprise web applications, then extort or engage in commercial espionage.

The vulnerability has been fixed at the end of July:

Because the researchers believe that the weakness caused by this vulnerability may be relatively large, the details have been submitted to the Google Chrome team after the vulnerability is discovered.

The vulnerability was then fixed in Google Chrome version 68.0.3440.75, which was released at the end of July, but the researchers did not disclose the details of the vulnerability.

Until Google’s browser has released three new versions, most users have upgraded the research team before they choose to publish the full details of the vulnerability.

So especially enterprise-level users should make sure that they are using the latest version of Google Chrome, and that exploits of older versions may be vulnerable to hacking.