Episode 84: Google Chrome Plans to Implement Insecure Form Warnings
The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, which has been fixed in Chrome version 85. Google also announced that Chrome 86 will alert users if a form submission is using the insecure HTTP protocol, making it a good time to audit older sites that may have migrated to HTTPS, but still have forms submitting via HTTP.
A security researcher found a flaw in Apple’s Safari browser that could allow an attacker to access files on a Mac or iOS device.
The FBI and CISA have issued a joint alert to warn about the growing threat from vishing attacks targeting companies.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Chrome patches vulnerability that could be used to execute arbitrary code
1:20 Google announces Chrome 86 will alert users to insecure form submissions
2:55 Safari browser zero-day vulnerability could lead to leaking files to an attacker
4:40 FBI-CISA joint alert about growing vishing threat
Episode 84 Transcript
Hello everyone. It’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast about WordPress security and innovation. Let’s get right into this week’s stories.
First up a couple of stories relating to the Google Chrome browser. A patch was released for Google Chrome this week, which fixed a vulnerability that could potentially allow code execution. The flaw, which is called a use-after-free vulnerability was in the graphics library component of Chrome. This was part of the functionality that lets users render 2D and 3D graphics. The issue came about from improperly handling memory. If the memory layout of the browser were manipulated by an attacker, they could gain control and ultimately it could lead to arbitrary code execution. An attacker could execute code via one of the vulnerable functions, which was used to sync data. When that was done, it then creates the use-after-free condition mentioned earlier. This can occur from attempts to access memory after it’s been freed up, which can then result in a program crashing or potentially result in execution of arbitrary code. So currently the thing to do here is check your current browser version and make sure that you’ve updated to Chrome 85, which should be available for you now.
In another story regarding the popular web browser, Google said in an upcoming release of Chrome, that they will be restricting forms that are sent via HTTP protocol. This is a push to have site owners review their site and be sure that forms are transmitting data via the secure HTTPS protocol. It’s important to be sure that all of the data on your site is being transmitted securely. And if you’ve recently migrated to HTTPS, double check to be sure that your forms are transmitting data securely to reduce any chance of being alerted or warned by Google of the issue, which could potentially end up resulting in a loss of revenue, depending on what your forms are used for.
If your forms are not transmitting data securely, you’ll see a message alerting you that the form is not secure. And you’ll also see an alert that autofill has been disabled for the form. Your visitors will also see these messages as well. An additional warning will be then shown to the site visitor when they attempt to submit data via that form and the warning will give the visitor an opportunity to continue with the data submission or cancel the submission at that point. One thing to consider as a site owner is checking your browser console for warnings that mention mixed content being loaded on the site. If you’re seeing that message, you can then find some tools with a Google search or via the WordPress plugins area to help automatically fix insecure and mixed content being loaded. Chrome 86 will feature these changes and it’s due to be released on October 6th, 2020.
Sticking with browser related news, Safari has a zero day vulnerability affecting the Mac OS and iOS browsers. The vulnerability allows an attacker to access files that are stored on the user’s local hard drive. This bug was discovered by the polar security firm REDTEAM.PL. The vulnerability resides in the Safari web share API, which introduces the ability to share text, links, files, and other things cross-browser. Visiting a malicious site set up for this vulnerability could open your device to this issue and result in leaking out the private stored local files from your device. After repeatedly chasing Apple about this vulnerability, the researcher who discovered the zero day was notified by Apple, that it would not be patched until the April 2021 security update and then he took it upon himself to disclose the issue in advance. Now, the researcher who disclosed the bug has described it as not very serious due to the fact that the user would need to be tricked into a situation to leak out the files.
However, the attack itself can be hidden well. The vulnerability is not easy to carry out, and it does require some user interaction, as I mentioned, which draws comparison to a social engineering attack. But the founder of the issue mentions that barriers for the bug are far from insurmountable and demonstrates the bug and a proof of concept video, which you can check out on YouTube. So as this has not yet been patched and may not be for some time, it’s always a good rule of thumb to double check where you’re browsing at any given time and always be aware on what you’re clicking and who you’re giving information to.
In our last story for this week, the FBI and CISA, which is the Cyber Security and Infrastructure Security Agency, issued an alert warning about the growing threat of voice phishing, or vishing, attacks. Now you might be wondering what is vishing? Vishing is a form of fishing where during a voice call, a scammer will attempt social engineering to get you to share personal information or company information, to help them with their attack. This can result in an attacker gaining access to employee tools with the end goal of monetizing the access. KrebsOnSecurity took a look at a crime group, which is offering to steal VPN credentials and other data from employees working remotely during the pandemic. In their article they mentioned in the joint FBI-CISA alert that the vishers are said to be compiling information on the employees using public profiles on social media sites and other readily available services, such as background checks.
In the alert it’s noted that in some cases, unsuspecting employees granted access to these vishers, even helping them bypass 2FA and/or one-time passwords (OTP). In other cases, attackers were able to gain access to the necessary one-time codes by targeting the employee with SIM swapping, which is a technique that involves social engineering an employee at a mobile phone company, which would then result in the employee giving them control of the target’s phone number, allowing them to access the 2FA code. One way around this for companies that are working remotely is the approach that Google took in requiring all employees to use physical security keys in place of one-time codes. You can check out USB and USBC versions of these physical security keys from the company Yubico who offers the YubiKey.
That’s all this week for Think Like a Hacker. Take a second to subscribe to our mailing list in the footer of the Wordfence.com homepage and keep up to date with any breaking security news there. Until next week from all of us here at Wordfence, have a great weekend and we’ll catch you soon.
Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.