kreizihorse - Fotolia
A security vulnerability in Google Chrome and all browsers that run the Blink browser engine could enable malicious actors to uncover private data in Facebook and other platforms, a security researcher has warned.
“Attackers could establish the exact age or gender of a person, as it is saved on Facebook, regardless of their privacy settings,” said Ron Masas, a researcher at security firm Imperva.
According to Masas, a potential attacker could use side channel methodology to abuse filtering functions in websites to deduce information such as age, gender, likes and location history of a Facebook user, for example, by using audio and video HTML tags to generate requests to the target site and then monitoring the progress events generated by these requests.
This means that an attacker could “ask” a series of questions about the browser. “For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size,” he wrote in a blog post.
A large response size would indicate that the restriction did not apply, while small ones would indicate that the content was restricted, showing that a particular user is from a disallowed age or gender.
“With several scripts running at once – each testing a different and unique restriction – the bad actor can relatively quickly mine a good amount of private data about the user,” said Masas.
If the attacker were to run an attack script on a site that requires email registration, such as an e-commerce site, the bad actor could correlate the private data with the login email address for even more extensive and intrusive profiling, he added.
Read more about Google Chrome security
- The security industry has welcomed the introduction of measures by the Google Chrome browser aimed at achieving certificate transparency.
- Security researchers have discovered a new botnet delivered via malicious Chrome extensions designed to hijack computers to mine cryptocurrency and record victims’ every move.
- Google Chrome warns of any embedded content such as ads that pretend to act like, and look and feel like, a trusted entity.
“When a user visits the bad-actor site, the site injects multiple hidden video or audio tags that request a number Facebook posts the attacker previously published and restricted using different techniques,” said Masas. “The attacker can then analyse each request to indicate, for example, the user’s exact age, as it is saved on Facebook, regardless of their privacy settings.”
Imperva reported the vulnerability to Google, which responded by patching the vulnerability in Chrome’s 68 release.
“We strongly recommend that all Chrome users make sure they are running the latest version,” said Masas.