Google has patched a vulnerability in the Chrome browser that allows an attacker to retrieve sensitive information from other sites via audio or video HTML tags. Ron Masas, a security researcher with Imperva, discovered and reported this issue —tracked as CVE-2018-6177— to Google. The browser maker fixed the security hole at the end of July with the release of Chrome v68.0.3440.75. The vulnerability can be exploited in older versions of Chrome in situations where an attacker can lure a victim on a malicious site, via malvertising (malicious code inside ads embedded on legitimate sites), or via vulnerabilities on legitimate sites where an attacker can inject and execute code —such as via stored cross-site scripting (XSS) flaws. In a write-up published earlier today and shared with Bleeping Computer, Masas explained that the attack scenario requires malicious code that loads content from legitimate sites inside audio and video HTML tags. Through the use of "progress" events, Masas says he can deduce the size of responses he gets from external sites, and guess various types of information. Under normal circumstances, this wouldn't be possible because of CORS —Cross-Origin Resource Sharing— a browser security feature that prevents sites from loading resources from other websites, but this attack bypasses CORS. Full details posted on OUR FORUM.