Google has patched a security flaw in the Blink browser engine, which powers its popular Chrome web browser, that allowed attackers to abuse audio/video HTML tags to, effectively, play 20 Questions with supposedly private user data.
Used by around 58 percent of the world's web users, thanks in no small part to being the default option for most Android smartphones and tablets, Google's browser is undeniably popular. Sadly, it has also been found to have a rather nasty security flaw by researchers at Imperva - a flaw which could be used to gain access to private data through what is effectively a game of 20 Questions.'The flaw we discovered could have serious implications to Google Chrome users as it puts their personal data at risk of being accessed by those with malicious intent,' explains Imperva's Ron Masas. 'Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings. We reported the vulnerability to Google as soon as we had a clear understanding of its impact and the Chrome team has since responded with a patch for its users.'
The bug itself is an interesting one: Masas discovered that attackers can use HTML's audio/video tags to generate requests to a specific target resource, then monitor the progress events of these requests to discover the size of the resource. 'As we found out, this information can then be used to "ask" a series of yes and no questions about the browser user, by abusing filtering functions available on social media platforms like Facebook,' Masas explains. 'For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size. The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook’s Graph Search endpoints.
'Large response size would indicate that the restriction didn’t apply, while small ones would indicate that the content was restricted. Meaning, for instance, that the user is from a disallowed age or gender. With several scripts running at once — each testing a different and unique restriction –, the bad actor can relatively quickly mine a good amount of private data about the user. In a more serious scenario, the attack script would be running on a site that requires some kind of email registration — an e-commerce or a SaaS site, for instance. In this case, the above-mentioned practices would allow the bad actor to correlate the private data with the login email address for even more extensive and intrusive profiling.'
Having been privately disclosed to Google, the flaw has now been fixed: Chrome users are advised to update to the latest build of Chrome 68, which for most users will happen automatically, in order to ensure they are protected.