Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser
Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.
For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.
That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.
However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.
Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.
In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.
However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.