Tag audio Video and exploited to collect sensitive data in Google Chrome: update now
Ron Masas, Security researchers work with Impervert, Recently reported vulnerability in Google Chrome-driven tag audio and video to launch the attacks.
In an article published by Masas, causes weakness that is said to be the rendering of Chrome Machine Blink, is responsible for the behavior of the tag audio and video. Hackers can inject malicious code into the tags of audio and video to monitor responses to requests made to the WEB platforms such as Facebook, Google, Youtube etc.
Bug monitor progress generated by events and to give visibility to the original size of the requested resource. Information obtained may be used to ask questions about users on social media platforms.
Typically, the Cross-origin resource sharing (cors) function browser do not allow sharing of resources from other sites, but bug bypasses Cors.
According to Masas, "in a sense, a bug that allows an attacker to estimate the size of source cross-original source using audio or video tag. "
Mike Gualteri, other security researchers, said that the weaknesses can be exploited in some other scenarios as well as social media platforms except. According to him, the bad actors can target backend enterprise, distributed and enterprise-based applications to spy on information.
Shortly after his discoveries, Masas reported exposure to Google under CVE-2018-6177, and it has been fixed with version Chrome v 68.0.3440.75.
If you haven't updated your chrome to the latest version, it is advisable that you need to update it immediately.