Cyber security vendor Imperva revealed today that a Google Chrome bug exposed private data to innovative hackers. The security firm compared exploiting the flaw to playing 20 Questions with online services like Facebook, Google and "likely many other web platforms" to quietly gather info about people.
The problem stemmed from Chrome's rendering engine, Blink, and the way it handled the audio and video HTML tags. Hackers could inject hidden tags into websites and monitor the response Chrome received from a service like Facebook. The responses didn't necessarily reveal anything directly (none of them said, for example, "this person is a 23-year-old man from Oklahoma City"), but they could be used to gather that sort of data.
Imperva said it could measure the size of responses to determine if they were "yes" or "no" answers to a query. Combining those responses with Facebook's audience restriction tools, which let people show content only to specific demographics, would help the hackers learn more about their target. (Hence the comparison to 20 Questions--the exploit basically used the same "yes" or "no" approach to guessing someone's identity.)
Imperva explained in its blog post about the bug:
"For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size. ... The same method can be used to extract the user gender, likes and many other user properties we were able to reflect through crafted posts or Facebook’s Graph Search endpoints."
But the method wasn't limited to Facebook; it could be used to gather data from other services as well. This could be particularly damaging if the hacker learned the target's email address, Imperva said, because it "would allow the bad actor to correlate the private data with the login email address for even more extensive and intrusive profiling." That profiling could enable more effective phishing attempts or other attacks.
Imperva said it told Google about this problem as soon as it confirmed the vulnerability and came up with a proof of concept. Google fixed the issue with the Blink engine in Chrome 68, which debuted in July, so if your browser's up to date, the flaw shouldn't affect you. If your browser isn't up to date, the bug's public revelation ought to be motivation enough to install the latest version of Chrome and defend against these attacks.
The attack involved here is much closer to "groping" your data, in the dark.