Stopspying

Level 10
"The vulnerability allows attackers to bypass Content Security Policy (CSP) protections and steal data from website visitors.
A vulnerability in Google’s Chromium-based browsers would allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.
The bug (CVE-2020-6519) is found in Chrome, Opera and Edge, on Windows, Mac and Android – potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue)...."

 

Correlate

Level 16
Verified
Bypassing CSP completely can be very bad..
I was extremely surprised when I discovered this zero day vulnerability affecting Chromium based browsers - Chrome, Opera, Edge - on Windows, Mac and Android that allowed attackers to fully bypass CSP rules on Chrome versions 73 (March 2019) through 83 (July 2020).

To better understand the magnitude of this vulnerability - the potentially impacted users are in the billions, with Chrome having over two billion users, and more than 65% of the browser market on one hand, and some of the most popular sites on the web being vulnerable to this CVE on the other hand.
 
Top