The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Google Chrome

4 Major Privacy and Security Updates From Google You Should Know About

4 Major Privacy and Security Updates From Google You Should Know About

May 07, 2021Ravie Lakshmanan
Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. "Today we ask people who have enrolled in  two-step verification  (2SV) to confirm it's really them with a simple tap via a Google prompt on their phone whenever they sign in," the company  said . "Soon we'll start automatically enrolling users in 2SV if their accounts are appropriately configured." Google Play To Get Apple-Like Privacy Labels The Google Play Store for Android is also getting a huge overhaul on the privacy front. The search giant said it plans to include a new  safety section  for app listings that highlights the type of data is collected and stored — such as approximate or precise location, contacts, personal information, photos and videos, and audio files — and how the data i
Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit

Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit

April 21, 2021Ravie Lakshmanan
Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. Tracked as CVE-2021-21224 , the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5 According to security researcher  Lei Cao , the bug [ 1195777 ] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," Chrome's Technical Program Manager Srinivas Sista  said  in a blog post. The update comes after proof-of-concept (PoC) code exploiting the flaw published by a researcher named " frust " emerged on April 14 by taking advantage of the fact that the issue was addressed
RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers

RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers

April 12, 2021Ravie Lakshmanan
An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. Released by Rajvardhan Agarwal, the working  exploit  concerns a remote code execution vulnerability in the V8 JavaScript rendering engine that powers the web browsers. It is believed to be the same flaw demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at  Pwn2Own 2021 hacking contest  last week. Keith and Baumstark were awarded $100,000 for leveraging the vulnerability to run malicious code inside Chrome and Edge. According to the screenshot shared by Agarwal, the PoC HTML file, and its associated JavaScript file, can be loaded in a Chromium-based browser to exploit the security flaw and launch the Windows calculator (calc.exe) app. But it's worth noting that the exploit needs to be chained with another flaw that can allow it to escape Chro
Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

March 12, 2021Ravie Lakshmanan
Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month. The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users. While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a  use after free  vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193. Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9. According to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. "By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system," the
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

February 19, 2021Ravie Lakshmanan
A credential stealer infamous for targeting Windows systems has resurfaced in a new phishing campaign that aims to steal credentials from Microsoft Outlook, Google Chrome, and instant messenger apps. Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of  MassLogger  — a .NET-based malware with capabilities to hinder static analysis — building on similar campaigns undertaken by the same actor against users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020. MassLogger was first spotted in the wild last April, but the presence of a new variant implies malware authors are constantly retooling their arsenal to evade detection and monetize them. "Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain," researchers with Cisco Talos  said  on W
WARNING — Hugely Popular 'The Great Suspender' Chrome Extension Contains Malware

WARNING — Hugely Popular 'The Great Suspender' Chrome Extension Contains Malware

February 06, 2021Ravie Lakshmanan
Google on Thursday removed The Great Suspender , a popular Chrome extension used by millions of users, from its Chrome Web Store for containing malware. It also took the unusual step of deactivating it from users' computers. "This extension contains malware,"  read  a terse notification from Google, but it has since emerged that the add-on stealthily added features that could be exploited to execute arbitrary code from a remote server, including tracking users online and committing advertising fraud. "The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more," Calum McConnell  said  in a GitHub post. The extension, which had more than two million installs before it was disabled, would suspend tabs that aren't in use, replacing them with a blank gray screen until they were reloaded upon returning to the tabs in question. Signs of the
New Chrome Browser 0-day Under Active Attack—Update Immediately!

New Chrome Browser 0-day Under Active Attack—Update Immediately!

February 04, 2021Ravie Lakshmanan
Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild. The company released  88.0.4324.150  for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. "Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the company said in a statement. The security flaw was reported to Google by Mattias Buelens on January 24. Previously on February 2, Google  addressed six issues in Chrome , including one critical use after free vulnerability in Payments (CVE-2021-21142) and four high severity flaws in Extensions, Tab Groups, Fonts, and Navigation features. While it's typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft  disclosed  attacks carried out by North Korean hackers against security researc
Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

February 03, 2021Ravie Lakshmanan
New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called " CacheFlow " by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage  Cache-Control  HTTP header as a covert channel to retrieve commands from an attacker-controlled server. All the  backdoored browser add-ons  have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores. According to telemetry data gathered by the firm, the top three infected countries were Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the U.S. The CacheFlow sequence began when unsuspecting users downloaded one of the
Watch Out! Adrozek Malware Hijacking Chrome, Firefox, Edge, Yandex Browsers

Watch Out! Adrozek Malware Hijacking Chrome, Firefox, Edge, Yandex Browsers

December 11, 2020Ravie Lakshmanan
Microsoft on Thursday took the wraps off an ongoing campaign impacting popular web browsers that stealthily injects malware-infested ads into search results to earn money via affiliate advertising. "Adrozek," as it's called by the Microsoft 365 Defender Research Team, employs an "expansive, dynamic attacker infrastructure" consisting of 159 unique domains, each of which hosts an average of 17,300 unique URLs, which in turn host more than 15,300 unique malware samples. The campaign — which impacts Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox browsers on Windows — aims to insert additional, unauthorized ads on top of legitimate ads displayed on search engine results pages, leading users to click on these ads inadvertently. Microsoft said the persistent browser modifier malware has been observed since May this year, with over 30,000 devices affected every day at its peak in August. "Cybercriminals abusing affiliate programs is not
New Chrome Zero-Day Under Active Attacks – Update Your Browser

New Chrome Zero-Day Under Active Attacks – Update Your Browser

November 03, 2020Ravie Lakshmanan
Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update. The company  released  86.0.4240.183 for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. The zero-day flaw, tracked as  CVE-2020-16009 , was reported by Clement Lecigne of Google's Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero on October 29. The company also warned that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild." Google hasn't made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw. But Ben Hawkes, Google Project Zero's technical lead,  said  CVE-2020-16009 concerned an "inappropriate implementation" of its
Over 100 New Chrome Browser Extensions Caught Spying On Users

Over 100 New Chrome Browser Extensions Caught Spying On Users

June 22, 2020Ravie Lakshmanan
Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, GalComm. However, it's not immediately clear who is behind the spyware effort. "This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input," Awake Security said. The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them. Furthermore, the
49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

April 15, 2020Ravie Lakshmanan
Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified  (find the list here) by researchers from MyCrypto and PhishFort. "Essentially, the extensions are phishing for secrets — mnemonic phrases , private keys, and keystore files," explained Harry Denley, director of security at MyCrypto. "Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts." Although the offending extensions were removed within 24 hours after they were reported to Google, MyCrypto's analysis showed that they began to appear on the Web Store as early as February 2020, before ramping up in subsequent months. In addition, all the extensions functioned a
Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

February 25, 2020Ravie Lakshmanan
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities , all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: Integer overflow in ICU — Reported by André Bargull on 2020-01-22 Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27 Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18 The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two
New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!

New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!

November 01, 2019Swati Khandelwal
Attention readers, if you are using Chrome on your Windows, Mac, and Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. With the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are actively exploiting in the wild to hijack computers. Without revealing technical details of the vulnerability, the Chrome security team only says that both issues are use-after-free vulnerabilities, one affecting Chrome's audio component ( CVE-2019-13720 ) while the other resides in the PDFium ( CVE-2019-13721 ) library. The use-after-free vulnerability is a class of memory corruption issues that allows corruption or modification of data in the memory, enabling an unprivileged user to escalate privileges on an affected system or software. Thus, both flaws could enable remote attackers
Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

October 17, 2019Swati Khandelwal
After enabling ' Site Isolation ' security feature in Chrome for desktops last year, Google has now finally introduced 'the extra line of defence' for Android smartphone users surfing the Internet over the Chrome web browser. In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser. Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites. Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains. The feature gained attention in January 2018,
Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

September 20, 2019Swati Khandelwal
Two widely used Adblocker Google Chrome extensions , posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently. There's no doubt web extensions add a lot of useful features to web browsers, making your online experience great and aiding productivity, but at the same time, they also pose huge threats to both your privacy and security. Being the most over-sighted weakest link in the browser security model, extensions sit between the browser application and the Internet — from where they look for the websites you visit and subsequently can intercept, modify, and block any requests, based on the functionalities they have been designed for. Apart from the extensions which are purposely created with malicious intent , in recent years we have also seen some of the most popular legitimate Chrome and Firefox extensions g
Update Google Chrome Browser to Patch New Critical Security Flaws

Update Google Chrome Browser to Patch New Critical Security Flaws

September 19, 2019Wang Wei
Google has released an urgent software update for its Chrome web browser and is urging Windows, Mac, and Linux users to upgrade the application to the latest available version immediately. Started rolling out to users worldwide this Wednesday, the Chrome 77.0.3865.90 version contains security patches for 1 critical and 3 high-risk security vulnerabilities, the most severe of which could allow remote hackers to take control of an affected system. Google has decided to keep details of all four vulnerabilities secret for a few more days in order to prevent hackers from exploiting them and give users enough time to install the Chrome update. For now, Chrome security team has only revealed that all four vulnerabilities are use-after-free issues in different components of the web browser, as mentioned below, the critical of which could lead to remote code execution attacks. The use-after-free vulnerability is a class of memory corruption issue that allows corruption or modificat
Google Chrome to Introduce Improved Cookie Controls Against Online Tracking

Google Chrome to Introduce Improved Cookie Controls Against Online Tracking

May 08, 2019Mohit Kumar
At the company's I/O 2019 developer conference, Google has announced its plan to introduce two new privacy and security-oriented features in the upcoming versions of its Chrome web browser. In an attempt to allow users to block online tracking, Google has announced two new features—Improved SameSite Cookies and Fingerprinting Protection—that will be previewed by Google in the Chrome web browser later this year. Cookies, also referred to as HTTP cookies or browser cookies, are the small pieces of information that websites store on your computer, which play an important role in improving your online experience. Cookies are created by a web browser when a user loads a particular website, which helps the website to remember information about your visit, like your login information, preferred language, items in the shopping cart and other settings. However, cookies are also being widely used to identify users and track their activities not only on the site that issued a cooki
Microsoft Releases First Preview Builds of Chromium-based Edge Browser

Microsoft Releases First Preview Builds of Chromium-based Edge Browser

April 08, 2019Mohit Kumar
Microsoft today finally released the first new reborn version of its Edge browser that the company rebuilds from scratch using Chromium engine, the same open-source web rendering engine that powers Google's Chrome browser. However, the Chromium-based Edge browser builds haven't yet entered the stable or even the beta release; instead, Microsoft has released two testing-purpose preview builds for developers. Both previews build— "Canary"  that will be updated daily, and "Developer"  that will be updated every week—are now available for download from the Microsoft's new Edge insider website . Here's how Microsoft differentiates Canary and Developer builds: "Every night, we produce a build of Microsoft Edge — if it passes automated testing, we'll release it to the Canary channel. We use this same channel internally to validate bug fixes and test brand new features. The Canary channel is truly the bleeding edge, so you may discover bugs
Google Will Prompt European Android Users to Select Preferred Default Browser

Google Will Prompt European Android Users to Select Preferred Default Browser

March 20, 2019Swati Khandelwal
Google announced some major changes for its Android mobile operating system in October after the European Commission hit the company with a record $5 billion antitrust fine for pre-installing its own apps and services on third-party Android phones. The European Commission accused Google of forcing Android phone manufacturers to "illegally" tie its proprietary apps and services—specifically, Chrome and Google Search as the default browsers—to Android, unfairly blocking competitors from reaching consumers. This rule led Google to change the way it licenses the Google mobile application suite to Android smartphone makers. Now, Google is further making some changes related to browser and search engine choice. In a blog post published Tuesday, Google announced that the company would prompt Android phone owners in Europe (new and existing ones) in the coming months to choose from a variety of web browsers and search engines for their devices as their default apps. &
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.