A browser bug in Google Chrome has been discovered that lets bad actors uncover private data stored on Facebook, Google sites and other platforms, by using video and audio HTML tags, and the filtering functions in websites.
The bug in question exists in the Blink engine, which is used to power Chrome. The vulnerability allows attackers to inject the browsers of unsuspecting visitors to a malicious site with specialized hidden video or audio tags.
According to Imperva, which identified and reported the flaw, these A/V HTML tags can then be used as part of a script that generates requests to a target resource within a web application that’s also open on the victim’s desktop, such as Facebook. In turn, the responses to those requests can be used to infer data about the infected user.
