What is CVE-2018-6177?

Today’s new releases of browser software are supposed to be improvements over past versions in terms of functionality, helpful features, security, and the speed of overall operation. However, these changes often involve new vulnerabilities which hackers can target and exploit. A recent release of Google Chrome is a good example. A vulnerability allowed hackers to access user information stored in major web platforms such as Facebook and Google. This vulnerability was identified as CVE-2018-6177. It was only recently addressed with the release of a patch known as Chrome 68.

Google Chrome

How Have People Been Affected?

The Chrome vulnerability has caused people to hesitate about upgrading to the most current version of the browser. The previous release’s vulnerability has allowed hackers to have increased access to data stored on online databases, including Google and Facebook, leaving a full range of personal information exposed.

The vulnerability exploits a weakness in audio and video HTML tags used in the engine. It has been listed in the Common Vulnerabilities and Exposures database, a dot.org website dedicated to such issues. The National Vulnerability Database (NVD), a US government establishment also dedicated to this cause notes an entry about these issues that is incomplete.

The most severe attacks that a user can experience include identity theft, resources theft, and system damage through the execution of arbitrary code. Users could also experience common side effects of hacker attacks, including being locked out of their accounts, or having to address unauthorized messages or postings. Users may also be redirected to sites that could involve phishing attempts or some other damaging hacking effort. Denial-of-service and authorized network accounts are also possible for organizations or individuals becoming victims to hackers exploiting the vulnerability.

The Center for Internet Security reported that the most recent release of the browser will show unsecure designations on websites using HTTP rather than HTTPS (standard hyper-text transfer protocol rather than secured protocol of this type). This may make users assume that state, local, tribal, or territorial (SLTT) government websites are not secure. While users are recommended to follow federal and developer organization guidelines for security, the risk of the vulnerability remaining in the software is classified as high for multiple user types. More specifically, the range of vulnerability levels for user types are reported as being:

  • ‘High’ for large and medium government and business entities
  • ‘Medium’ for small government and business entities
  • ‘Low’ for home or individual users

The vulnerability is also referred to as a cross-origin information leak specific to the internal Blink Engine, or web browsing database used as a foundational operating platform for the browser. The Center for Internet Security recommends that users:

  • Apply the stable channel update available through Google
  • Run software as a non-privileged or non-administrative user (to minimize impacts of successful attacks)
  • Ensure non-trusted links are not browsed
  • Inform all users of the vulnerability and its demands
  • Apply a Principle of Least Privilege (maximizing security and minimizing accessibility amid organizational requirements) to all systems, users, and services

Reporting on potential instances of successful hacks through this vulnerability, The Hacker News described a scenario where a user with a Facebook account could potentially have their personal information accessed and misused.

A researcher with this source made several Facebook posts, using different combinations of audiences to categorize potential victim types by personal traits categorized by the service, and confirmed the nature of the vulnerability. When a website embeds multiple Facebook posts of this type on a webpage, it loads and displays only some of them, based on matching to individual profile information.

The vulnerability allows hackers to gain access to the personal information of visitors to such pages, and regardless of their privacy settings. The browser version does not have a direct way for administrators to determine if embedded posts were loaded for specific visitors, creating a security demand to check and address this.

Users can attempt to rely on Cross-Origin Resource Sharing (CORS), a security feature within the browser that blocks websites from reading content from other sites without authorization. However, as the aforementioned audio and video HTML tags do not validate the types of content retrieved from other sources or block responses with invalid Multipurpose Internet Mail Extensions (MIMEs), hackers are able to use multiple hidden tags on websites to request Facebook post information.

While the approach does not generate Facebook posts, hackers can exploit the vulnerability while using JavaScript to gauge request numbers and read the sizes of cross-origin resources to determine which posts and information sets they can get from users. Since several scripts run simultaneously, hackers can effectively data mine once they are able to generate these responses.

Hackers can potentially design sites to return different response sizes dependent on the traits of the logged-in users, and then record information from all people observed through the connections.

The vulnerability is similar to another recent browser issue, a related difficulty involved in cross-origin requests that allowed hackers to read Gmail and Facebook messages. The previous issue was patched in June, and although the current issue was addressed in a patch included with Chrome 68, unpatched users remain vulnerable to the described exploitations.

What’s The Bottom Line?

  • Chrome releases have been subject to audio and video HTML tag vulnerabilities.
  • Facebook and Google messages, along with personal information are vulnerable.
  • Chrome 68 has addressed the issue; users are recommended to replace their older version with the patched version immediately.