#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Chrome | Breaking Cybersecurity News | The Hacker News

Category — Chrome
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition

Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition

Nov 09, 2020
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in  Tianfu Cup 2020 , the third edition of the international cybersecurity contest held in the city of Chengdu, China. "Many mature and hard targets have been pwned on this year's contest," the event organizers  said . "11 out of 16 targets cracked with 23 successful demos." The hacking competition showed off hacking attempts against a  number of platforms , including: Adobe PDF Reader Apple iPhone 11 Pro running iOS 14 and Safari browser ASUS RT-AX86U router CentOS 8 Docker Community Edition Google Chrome Microsoft Windows 10 v2004 Mozilla Firefox Samsung Galaxy S20 running Android 10 TP-Link TL-WDR7660 router VMware ESXi hypervisor The Tianfu Cup, analogous to Pwn2Own, was started in 2018 following a  government regulation  in the country that barred security researchers from participating in internati
WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild

WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild

Nov 02, 2020
Google has disclosed details of a new zero-day privilege escalation flaw in the Windows operating system that's being actively exploited in the wild. The elevation of privileges (EoP) vulnerability, tracked as  CVE-2020-17087 , concerns a buffer overflow present since at least Windows 7 in the Windows Kernel Cryptography Driver ("cng.sys") that can be exploited for a sandbox escape. "The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," Google's Project Zero researchers Mateusz Jurczyk and Sergei Glazunov noted in their technical write-up. The security team made the details public following a seven-day disclosure deadline because of evidence that it's under active exploit. Project Zero has shared a proof-of-concept exploit (PoC) that can be used to corrupt kernel data and crash vulnerable Windows devices even under default system configurations. What's notable is that the exploit ch
Sailing the Seven Seas Securely from Port to Port – OT Access Security for Ships and Cranes

Sailing the Seven Seas Securely from Port to Port – OT Access Security for Ships and Cranes

Oct 28, 2024Operational Technology / Cybersecurity
Operational Technology (OT) security has affected marine vessel and port operators, since both ships and industrial cranes are being digitalized and automated at a rapid pace, ushering in new types of security challenges. Ships come to shore every six months on average. Container cranes are mostly automated. Diagnostics, maintenance, upgrade and adjustments to these critical systems are done remotely, often by third-party vendor technicians. This highlights the importance of proper secure remote access management for industrial control systems (ICS).  Learn more in our Buyer's Guide for Secure Remote Access Lifecycle Management .  We at SSH Communications Security (SSH) have been pioneering security solutions that bridge the gap between IT and OT in privileged access management . Let's investigate how we helped two customers solve their critical access control needs with us. Secure Remote Access Around the Globe to 1000s of Ships  In the maritime industry, ensuring secure and e
Browser Bugs Exploited to Install 2 New Backdoors on Targeted Computers

Browser Bugs Exploited to Install 2 New Backdoors on Targeted Computers

Oct 30, 2020
Cybersecurity researchers have disclosed details about a new watering hole attack targeting the Korean diaspora that exploits vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes. Dubbed " Operation Earth Kitsune " by Trend Micro, the campaign involves the use of SLUB (for SLack and githUB) malware and two new backdoors —  dneSpy and agfSpy  — to exfiltrate system information and gain additional control of the compromised machine. The attacks were observed during the months of March, May, and September, according to the cybersecurity firm. Watering hole attacks allow a bad actor to compromise a targeted business by compromising a carefully selected website by inserting an exploit with an intention to gain access to the victim's device and infect it with malware. Operation Earth Kitsune is said to have deployed the spyware samples on websites associated with North Korea, although access to these websites
cyber security

AWS EKS Security Best Practices [Cheat Sheet]

websiteWiz.ioCloud Security / Kubernetes
Unlock this one-stop resource for mastering EKS security best practices and safeguarding your cloud-native applications.
New Chrome 0-day Under Active Attacks – Update Your Browser Now

New Chrome 0-day Under Active Attacks – Update Your Browser Now

Oct 21, 2020
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Tracked as CVE-2020-15999 , the actively exploited vulnerability is a type of memory-corruption flaw called heap buffer overflow in Freetype, a popular open source software development library for rendering fonts that comes packaged with Chrome. The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public disclosure deadline due to the flaw being under active exploitation. Glazunov also immediately reported the zero-day vulnerability to FreeType developers, who then
Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Feb 25, 2020
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities , all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: Integer overflow in ICU — Reported by André Bargull on 2020-01-22 Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27 Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18 The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two
Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Jun 13, 2019
Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed. Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser. Discovered by Guardio, the vulnerability ( CVE-2019-12592 ) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser's same-origin policy (SOP) and domain-isolation mechanisms. According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue. "A full exploit that would allow loading a remote hacker contr
Google Will Prompt European Android Users to Select Preferred Default Browser

Google Will Prompt European Android Users to Select Preferred Default Browser

Mar 20, 2019
Google announced some major changes for its Android mobile operating system in October after the European Commission hit the company with a record $5 billion antitrust fine for pre-installing its own apps and services on third-party Android phones. The European Commission accused Google of forcing Android phone manufacturers to "illegally" tie its proprietary apps and services—specifically, Chrome and Google Search as the default browsers—to Android, unfairly blocking competitors from reaching consumers. This rule led Google to change the way it licenses the Google mobile application suite to Android smartphone makers. Now, Google is further making some changes related to browser and search engine choice. In a blog post published Tuesday, Google announced that the company would prompt Android phone owners in Europe (new and existing ones) in the coming months to choose from a variety of web browsers and search engines for their devices as their default apps. &
Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Aug 16, 2018
With the release of Chrome 68, Google prominently marks all non-HTTPS websites as 'Not Secure' on its browser to make the web a more secure place for Internet users. If you haven't yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser. Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website. The vulnerability, identified as CVE-2018-6177 , takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by "Blink Engine," including Google Chrome. To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (loca
Google Developer Discovers a Critical Bug in Modern Web Browsers

Google Developer Discovers a Critical Bug in Modern Web Browsers

Jun 20, 2018
Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser. Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages. For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it. That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites. However, web browsers do not respond in the same way while fetc
Update Google Chrome Immediately to Patch a High Severity Vulnerability

Update Google Chrome Immediately to Patch a High Severity Vulnerability

Jun 06, 2018
You must update your Google Chrome now. Security researcher Michał Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux. Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header ( CVE-2018-6148 ) in a blog post published today. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes. Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load. Mishandling of CSP headers by your web brow
7 Chrome Extensions Spreading Through Facebook Caught Stealing Passwords

7 Chrome Extensions Spreading Through Facebook Caught Stealing Passwords

May 11, 2018
Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware. Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users worldwide. Dubbed Nigelthorn, the malware is rapidly spreading through socially engineered links on Facebook and infecting victims' systems with malicious browser extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud. The malware was pushed through at least seven different Chrome browser extensions—all were hosted on Google's official Chrome Web Store. These malicious Chrome browser extensions were first discovered by researchers at cybersecurity firm Radware, after a "well-protected network" of one of its custo
Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Apr 16, 2018
Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication. In order to trick victims into installing the Android malware, dubbed Roaming Mantis , hackers have been hijacking DNS settings on vulnerable and poorly secured routers . DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more. Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher —both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers. Discovered by security researchers at Kaspersk
Hackers Hijacked Chrome Extension for Web Developers With Over 1 Million Users

Hackers Hijacked Chrome Extension for Web Developers With Over 1 Million Users

Aug 03, 2017
From past few years, spammers and cyber criminals were buying web extensions from their developers and then updating them without informing their users to inject bulk advertisements into every website user visits in order to generate large revenue. But now they have shifted their business model—instead of investing, spammers have started a new wave of phishing attacks aimed at hijacking popular browser extensions. Just two days ago, we reported how cyber criminals managed to compromise the Chrome Web Store account of a German developer team and hijacked Copyfish extension , and then modified it with ad-injection capabilities to distribute spam correspondence to users. Now just yesterday, another popular Chrome extension ' Web Developer ' was hijacked by some unknown attackers, who updated the software to directly inject advertisements into the web browser of over its 1 million users. Chris Pederick , the creator of Web Developer Chrome extension that offers various w
Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

May 30, 2017
What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge? Sounds really scary! Isn't it? But this scenario is not only possible but is hell easy to accomplish. A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. How Browsers Works With Camera & Microphone Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols th
Browser AutoFill Feature Can Leak Your Personal Information to Hackers

Browser AutoFill Feature Can Leak Your Personal Information to Hackers

Jan 11, 2017
Just like most of you, I too really hate filling out web forms, especially on mobile devices. To help make this whole process faster, Google Chrome and other major browsers offer "Autofill" feature that automatically fills out web form based on data you have previously entered in similar fields. However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties. Finnish web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the autofill feature provided by most browsers, plugins, and tools such as Password Managers. Although, this trick was first discovered by Ricardo Martin Rodriguez , Security Analyst at ElevenPaths, in the year 2013, but it seems Google haven't done anything to address weakness in Autofill feature. The proof-of-concept demo website consists of a simple online
Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

Feb 03, 2016
Beware Comodo Users! Have you Safeguarded your PC with a Comodo Antivirus? Then you need to inspect your system for privacy and security concerns. First of all, make sure whether your default browser had been changed to " Chromodo " -- a free browser offered by Comodo Antivirus. If your head nod is " Yes ," then you could be at risk! Chromodo browser, which is supplied along with the installation of Comodo Anti-Virus Software and marketed as 'Private Internet Browser' for better security and privacy, automatically overrides system settings to set itself as your 'Default Browser.' And secondly, the main security concern about Comodo Antivirus is that the Chromodo browser has 'Same Origin Policy' (SOP) disabled by default. Google's security researcher Tavis Ormandy , recently shouted at Comodo for disabling SOP by default in its browser settings that violates one of the strongest browser security policy. Orm
Beware of Fake 'WhatsApp Web' Spreading Banking Trojan

Beware of Fake 'WhatsApp Web' Spreading Banking Trojan

Feb 07, 2015
Cybercriminals are known to take advantage of everything that captures public attention in order to spread malware, and the recently launched web client of the most popular WhatsApp messaging application seems to be their next target. Last month, the messaging giant WhatsApp, with 700 million users worldwide, finally launched its web client to the public. The feature is called " WhatsApp Web ," which gives its users the ability to read and send messages directly from their web browsers. FAKE WHATSAPP WEB SPREADING BANKING TROJANS However, malicious hackers have taken the advantage of the latest WhatsApp Web and have started fooling users all over the world with fake downloads masquerading as a desktop variant of the WhatsApp mobile application. Security researchers at Kaspersky Labs have spotted a seemingly genuine WhatsApp Web for Windows in spam campaign available for fake download that actually spreads financial malware Trojans to the systems worldwide.
Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015

Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015

Dec 16, 2014
Google is ready to give New Year gift to the Internet users, who are concerned about their privacy and security. The Chromium Project's security team has marked all HTTP web pages as insecure and is planning to explicitly and actively inform users that HTTP connections provide no data security protections. There are also projects like Let's Encrypt , launched by the non-profit foundation EFF (Electronic Frontier Foundation) in collaboration with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the Internet at the beginning of 2015. This is not the first time when Google is taking initiative to encourage website owners to switch to HTTPS by default. Few months ago, the web Internet giant also made changes in its search engine algorithm in an effort to give a slight ranking boost to the websites that use encrypted HTTPS connections. "We, the Chrome Security Team, propose that
Expert Insights / Articles Videos
Cybersecurity Resources