Security researchers recently exposed a medium-risk security vulnerability (CVE-2020-6519) in Google Chrome. This security vulnerability has existed for several years but has not been fixed until recently.
Attackers can use this security vulnerability to steal hundreds of millions of users’ data and execute malicious code. Although it is a medium-risk vulnerability, the threat is also very large.
This vulnerability has been repaired in the recently launched version of Google Chrome 84, so users must upgrade to version 84 and above to ensure safety.
The Content Security Policy (CSP) is a widely used webpage standard. The standard only needs to be used to prevent certain attacks such as cross-site scripting attacks and data injection attacks.
This policy allows website developers to specify the effective range of scripts that the browser can execute so that only the browser can execute trusted scripts to improve security.
Researchers found a loophole in the Content Security Policy (CSP). With this vulnerability, an attacker can bypass the Content Security Policy (CSP) and execute malicious code to steal data.
Of course, because the attack method is relatively difficult, the vulnerability is rated as a medium-risk vulnerability, but if unfortunately, all data can be stolen.
In order to exploit this vulnerability, an attacker must attack the server by other means in advance, and then tamper with the script loaded on the webpage and add injected code for enforcement.
Successful use of this method can directly bypass the Content Security Policy (CSP) and load malicious code. With the help of malicious code, an attacker can intercept all user data.
This vulnerability has existed since Google Chrome 73, and Google has fixed this mid-risk vulnerability in Google Chrome v84. Therefore, users of Google Chrome should make sure that you have used the latest version.