A security researcher has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, such as Facebook and Google, knows about you. All they need is just trick you into visiting a website.

The vulnerability takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by the Blink Engine including Google Chrome. Blink is a browser engine used in the Google Chrome browser and other web-based projects.

The researcher took an example of Facebook because it collects in-depth profiling information on its users, including their age, gender, (location data)and interests such as what users like and don't like.

How the browser attack works

The researcher created multiple Facebook posts with different combinations of the restricted audiences to categorise victims according to their age, location, interest or gender.
  • If a website embeds all these Facebook posts on a web page, it will load and display only a few specific posts at the visitors' end based on individuals' profile data on Facebook that matches restricted audience settings. 
  • If a post, for instance defined to be visible only to the Facebook users with age 26, male, having and interest in hacking and online sales, an attacker can potentially learn personal information on visitors, regardless of their privacy settings. 
  • The researcher found that since audio and video HTML tags don't validate the content type of fetched resources or reject responses an attacker can use multiple hidden video or audio tags on a website to request Facebook posts. 
  • Though this method doesn't display Facebook posts as intended, it does allow the attacker-controlled website to find out which specific posts were successfully fetched from Facebook for an individual visitor.

The core of this vulnerability has some similarities with another browser bug, patched in June this year, which exploited a weakness in how web browsers handle cross-origin requests to video and audio files, allowing attackers to read the content of your Gmail or private Facebook messages.

The Chrome team patched the issue in it Chrome 68 release.

Chrome users are strongly recommended to update their browser to the latest version, if they haven’t already done so.