Ethical Hacking News
Google Releases Urgent Chrome Update to Patch Cross-Origin Data Leak Vulnerability
Google has issued an urgent update for Chrome web browser due to a high-severity vulnerability (CVE-2025-4664) that exposes sensitive user data to malicious actors. The bug was discovered by security researcher Vsevolod Kokorin and allows remote attackers to leak cross-origin data via crafted HTML pages, potentially leading to full account takeovers. Users are advised to update their Chrome browser to version 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux, as well as other Chromium-based browsers. The discovery highlights the importance of regular software updates and online security measures to protect against threats like this one.
Google has issued an urgent update for its Chrome web browser, addressing a high-severity vulnerability that could expose sensitive user data to malicious actors. The bug, tracked as CVE-2025-4664, was discovered by security researcher Vsevolod Kokorin (@slonser_) and is related to the way Chrome resolves Link headers on sub-resource requests.
According to Kokorin's findings, the vulnerability allows a remote attacker to leak cross-origin data via a crafted HTML page. This can potentially lead to a full account takeover, as query parameters can contain sensitive information that can be stolen via an image from a third-party resource. The researcher demonstrated this vulnerability using a proof-of-concept (PoC) demonstration.
The Chrome browser's resolution of Link headers is different from other browsers in the sense that it sets a referrer policy, which can specify unsafe-url and capture full query parameters. This means that if an attacker gains access to sensitive data, they could potentially use this information to exploit the vulnerability further.
Google has advised users to update their Chrome browser to versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as soon as they become available.
The discovery of this vulnerability highlights the importance of regular software updates and the need for users to stay vigilant in protecting their online security. As threat actors continue to exploit vulnerabilities like this one, it is crucial that users take steps to patch these issues and protect themselves from potential threats.
In addition to the Chrome update, Google has also released a statement acknowledging that an exploit for CVE-2025-4664 exists in the wild. This means that malicious actors may already be exploiting this vulnerability to gain unauthorized access to sensitive user data.
The implications of this vulnerability are significant, and it is essential that users take immediate action to protect themselves. By updating their Chrome browser and following best practices for online security, users can minimize the risk of falling victim to this type of attack.
Furthermore, this incident serves as a reminder of the importance of responsible disclosure in the security community. Security researchers like Vsevolod Kokorin play a critical role in identifying vulnerabilities and reporting them to manufacturers, allowing for swift action to be taken to address these issues.
As we move forward in an increasingly complex digital landscape, it is essential that users stay informed about emerging threats and take proactive steps to protect themselves. By staying vigilant and taking advantage of available security measures, users can significantly reduce the risk of falling victim to exploits like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Chrome-Flaw-Exposes-Sensitive-User-Data-via-Loader-Referrer-Policy-ehn.shtml
https://thehackernews.com/2025/05/new-chrome-vulnerability-enables-cross.html
https://nvd.nist.gov/vuln/detail/CVE-2025-4664
Published: Thu May 15 03:23:58 2025 by llama3.2 3B Q4_K_M
