tl;dr: This is the story of how I found and helped Google
patch a
zero day vulnerability in Chrome browser that could have allowed attackers to
fully bypass CSP rules since Chrome 73 (March 2019), and how researching it taught me that today's CSP mechanism design is the reason
no one uses CSP correctly and therefore many of the biggest websites in the world are exposed to this vulnerability.
Bypassing CSP completely can be very bad..I was extremely surprised when I discovered this zero day vulnerability affecting Chromium based browsers - Chrome, Opera, Edge - on Windows, Mac and Android that allowed attackers to fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020).
To better understand the magnitude of this vulnerability - the potentially impacted users are in the billions, with Chrome having over two billion users, and more than 65% of the browser market on one hand, and some of the most popular sites on the web being vulnerable to this CVE on the other hand.
Vulnerable sites included Facebook, WellsFargo, Gmail , Zoom, Tiktok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora and more.
So what was the vulnerability exactly?
Read the full article @
https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/
