To exploit this issue, an attacker needs to construct a malicious .js file and feed it to a user. This can be done by uploading a file to a user’s profile, or by emailing the file to the user. Once a user receives the crafted file and opens it, the attacker’s code is run with the privileges of the user.

To determine if an account is vulnerable to this attack, the attacker can send a test .js file to the user’s email. If the email is verified, the file will be received and the code will run with the privileges of the user.

An attacker can also upload a file to a user’s profile, which will be received and run with the privileges of that account.

Google Chrome Vulnerability

Google Chrome Vulnerability Affecting Millions of Users
This week, Google announced a security vulnerability in the Google Chrome browser. It has been discovered that malicious code can be injected into websites through a crafted JavaScript file. This issue affects millions of users and some researchers believe that it was created by the same Russian hacking group behind the 2016 election interference campaign.

If you have not updated your browser to the latest version, you are vulnerable to this attack. Although there is no evidence as of yet that any malicious activity resulted from this vulnerability, it is important for all users to update their browsers to prevent any future attacks from happening.

What is the .js File?

The .js file is a JavaScript file that can be used to exploit this vulnerability.
The malicious code in the file can be executed by the user with the privileges of that account.
This vulnerability was disclosed on July 10, 2017 and has been assigned CVE-2022-25644.

Mitigation and Detection

Vulnerable users who receive a malicious .js file should ensure that their email is verified before opening the file, or they should delete the file and do not open it.

To determine if your account is vulnerable to this attack, send a test .js file to your email and verify that it has been received.

Vulnerable Code: var x = document . createElement ( "style" ); x . type = "text/css" ; x . id = "custom-style" ; var y = document . createTextNode ( "

Vulnerable Versions:

This vulnerability has been fixed in the following versions:
- CVE-2022-25644 - WordPress 4.9.2
The exploit affected all versions of WordPress prior to WordPress 4.9.2

Timeline

Published on: 08/29/2022 05:15:00 UTC
Last modified on: 09/01/2022 19:54:00 UTC

References