Google Chrome has a serious zero-day error, and hackers can execute malicious code at its fullest

On Monday, security researchers revealed a critical zero-day security vulnerability in Chromium kernel browsers running on Windows, Mac and Android. This vulnerability allows hackers to bypass Content Security Policy (CSP) rules released in Chrome 73.

The vulnerability, codenamed CVE-2020-6519, is rated 6.5 on the danger scale of CVSS. Once the CSP passes, the hacker will be able to run any malicious code on the victim's website.

Popular websites like Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora can all be hacked with this vulnerability.

In fact, Tencent Security Xuanwu Lab discovered the CVE-2020-6519 vulnerability more than a year ago, just a month after Chrome 73 was launched with CSP. However, no one noticed and fixed it until PerimeterX Center discovered it again and reported it earlier this March.

After receiving the notification, the Google Chrome development team has fixed the CVE-2020-6519 vulnerability in the Chrome 84 update released on July 14. 

CSP is an additional layer of security that detects and mitigates certain types of attacks, including Cross-Site Scripting (XSS) attacks and data injection attacks. With the CSP, the website can ask the browser to perform certain checks to prevent files containing malicious code.

Therefore, when the hacker gets past the CSP, the user's data will be threatened.

In addition to the CVE-2020-6519 vulnerability patch, the Chrome 84 update also fixes 15 other security holes. Among them, 12 were rated as high risk and 2 were low risk.

To avoid risk, experts recommend that users update their browser to the latest version. Currently, on the market, Google Chrome, Opera, Coc Coc and Microsoft Edge are using Chromium kernel.