CVE-2018-16072 in Chrome
Summary
by MITRE
A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/27/2020
The vulnerability identified as CVE-2018-16072 represents a critical security flaw in the Blink rendering engine that powers Google Chrome and other Chromium-based browsers. This issue stems from a missing origin check within the handling of HTTP Live Streaming (HLS) manifests, which are commonly used for delivering adaptive bitrate video content over HTTP. The vulnerability specifically affects Chrome versions prior to 69.0.3497.81, making it a significant concern for users running outdated browser versions.
The technical flaw manifests in how Blink processes HLS manifests and their associated media segments. When a web page contains an HLS manifest that references external media resources, the browser should enforce strict origin validation to prevent cross-origin access violations. However, this particular vulnerability allowed malicious actors to craft HTML pages that could bypass these essential origin checks, effectively circumventing the same origin policy that forms a fundamental pillar of web security. The missing validation creates a pathway for remote attackers to access resources that should be restricted to specific origins.
This vulnerability has severe operational implications as it enables attackers to perform cross-origin resource access attacks that could lead to data exfiltration, content manipulation, or further exploitation. The same origin policy is a core security mechanism designed to prevent malicious websites from accessing sensitive data from other domains, and its bypass creates a significant attack surface. Attackers could leverage this flaw to access media content from different origins, potentially including protected or private streaming content, and could use this capability as a stepping stone for more sophisticated attacks targeting user sessions or sensitive data.
The vulnerability aligns with CWE-284, which addresses improper access control, and relates to the broader category of web security flaws that undermine fundamental browser security models. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access through web-based attacks. The flaw demonstrates how seemingly specialized components like HLS manifest handling can introduce critical security gaps that affect the entire browser ecosystem. Organizations and users should prioritize updating to Chrome 69.0.3497.81 or later versions to mitigate this risk, as the vulnerability could be exploited in the wild without user interaction, making it particularly dangerous for widespread deployment.