There is a zero-day flaw in Chromium-based browsers that could have allowed attackers to bypass the Content Security Policy (CSP) rules, which bug was disclosed by security researchers at PerimeterX.
While CSP is an extra layer of security to help in detecting certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. And the CSP rules enable a website to mandate the browsers to perform certain client-side checks to block specific scripts that can exploit the browser's trust of the content received from the server.
According to the security researchers, some of the most popular websites, such as Facebook, Gmail, Zoom, TikTok, Instagram, Blogger, and Quora, are susceptible to the CSP bypass flaw. Starting from Chrome 73, the flaw marked as CVE-2020-6519 and rated 6.5 on the CVSS scale, stems from CSP bypass that leads to arbitrary execution of malicious code on target websites.
How the Bug circumvents the CSP Rules?
It specifies the domains that the browser should consider as valid sources of executable scripts, given that a CSP-compatible browser only executes the scripts received from those allow-listed domains, and ignore all others.
However, it is interesting to note that websites like Github, LinkedIn, Twitter, Google Play Store, Yahoo's Login Page, PayPal, and Yandex were not affected by this vulnerability since the CSP policies were implemented via a hash to allow the execution of inline scripts.
How to Mitigate against the circumvention of the CSP Rules
The researcher promptly disclosed the flaw to Google, and the Chrome team have issued a fix for the vulnerability in Chrome version 84.0.4147.89 that started rolling out on July 14.
Though there is no severe implications of the vulnerability, but users are advised to update their browsers to the latest version to protect against any such malicious code execution. And as a precautionary measure, Website owners are recommended to use nonce and hash capabilities in the CSP for added security.