The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Google Chrome

Over 100 New Chrome Browser Extensions Caught Spying On Users

Over 100 New Chrome Browser Extensions Caught Spying On Users

June 22, 2020Ravie Lakshmanan
Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, GalComm. However, it's not immediately clear who is behind the spyware effort. "This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input," Awake Security said. The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them. Furthermore, the
49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

April 15, 2020Ravie Lakshmanan
Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified  (find the list here) by researchers from MyCrypto and PhishFort. "Essentially, the extensions are phishing for secrets — mnemonic phrases , private keys, and keystore files," explained Harry Denley, director of security at MyCrypto. "Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts." Although the offending extensions were removed within 24 hours after they were reported to Google, MyCrypto's analysis showed that they began to appear on the Web Store as early as February 2020, before ramping up in subsequent months. In addition, all the extensions functioned a
Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

February 25, 2020Ravie Lakshmanan
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities , all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: Integer overflow in ICU — Reported by André Bargull on 2020-01-22 Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27 Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18 The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two
New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!

New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!

November 01, 2019Swati Khandelwal
Attention readers, if you are using Chrome on your Windows, Mac, and Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. With the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are actively exploiting in the wild to hijack computers. Without revealing technical details of the vulnerability, the Chrome security team only says that both issues are use-after-free vulnerabilities, one affecting Chrome's audio component ( CVE-2019-13720 ) while the other resides in the PDFium ( CVE-2019-13721 ) library. The use-after-free vulnerability is a class of memory corruption issues that allows corruption or modification of data in the memory, enabling an unprivileged user to escalate privileges on an affected system or software. Thus, both flaws could enable remote attackers
Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

October 17, 2019Swati Khandelwal
After enabling ' Site Isolation ' security feature in Chrome for desktops last year, Google has now finally introduced 'the extra line of defence' for Android smartphone users surfing the Internet over the Chrome web browser. In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser. Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites. Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains. The feature gained attention in January 2018,
Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

September 20, 2019Swati Khandelwal
Two widely used Adblocker Google Chrome extensions , posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently. There's no doubt web extensions add a lot of useful features to web browsers, making your online experience great and aiding productivity, but at the same time, they also pose huge threats to both your privacy and security. Being the most over-sighted weakest link in the browser security model, extensions sit between the browser application and the Internet — from where they look for the websites you visit and subsequently can intercept, modify, and block any requests, based on the functionalities they have been designed for. Apart from the extensions which are purposely created with malicious intent , in recent years we have also seen some of the most popular legitimate Chrome and Firefox extensions g
Update Google Chrome Browser to Patch New Critical Security Flaws

Update Google Chrome Browser to Patch New Critical Security Flaws

September 19, 2019Wang Wei
Google has released an urgent software update for its Chrome web browser and is urging Windows, Mac, and Linux users to upgrade the application to the latest available version immediately. Started rolling out to users worldwide this Wednesday, the Chrome 77.0.3865.90 version contains security patches for 1 critical and 3 high-risk security vulnerabilities, the most severe of which could allow remote hackers to take control of an affected system. Google has decided to keep details of all four vulnerabilities secret for a few more days in order to prevent hackers from exploiting them and give users enough time to install the Chrome update. For now, Chrome security team has only revealed that all four vulnerabilities are use-after-free issues in different components of the web browser, as mentioned below, the critical of which could lead to remote code execution attacks. The use-after-free vulnerability is a class of memory corruption issue that allows corruption or modificat
Google Chrome to Introduce Improved Cookie Controls Against Online Tracking

Google Chrome to Introduce Improved Cookie Controls Against Online Tracking

May 08, 2019Mohit Kumar
At the company's I/O 2019 developer conference, Google has announced its plan to introduce two new privacy and security-oriented features in the upcoming versions of its Chrome web browser. In an attempt to allow users to block online tracking, Google has announced two new features—Improved SameSite Cookies and Fingerprinting Protection—that will be previewed by Google in the Chrome web browser later this year. Cookies, also referred to as HTTP cookies or browser cookies, are the small pieces of information that websites store on your computer, which play an important role in improving your online experience. Cookies are created by a web browser when a user loads a particular website, which helps the website to remember information about your visit, like your login information, preferred language, items in the shopping cart and other settings. However, cookies are also being widely used to identify users and track their activities not only on the site that issued a cooki
Microsoft Releases First Preview Builds of Chromium-based Edge Browser

Microsoft Releases First Preview Builds of Chromium-based Edge Browser

April 08, 2019Mohit Kumar
Microsoft today finally released the first new reborn version of its Edge browser that the company rebuilds from scratch using Chromium engine, the same open-source web rendering engine that powers Google's Chrome browser. However, the Chromium-based Edge browser builds haven't yet entered the stable or even the beta release; instead, Microsoft has released two testing-purpose preview builds for developers. Both previews build— "Canary"  that will be updated daily, and "Developer"  that will be updated every week—are now available for download from the Microsoft's new Edge insider website . Here's how Microsoft differentiates Canary and Developer builds: "Every night, we produce a build of Microsoft Edge — if it passes automated testing, we'll release it to the Canary channel. We use this same channel internally to validate bug fixes and test brand new features. The Canary channel is truly the bleeding edge, so you may discover bugs
Google Will Prompt European Android Users to Select Preferred Default Browser

Google Will Prompt European Android Users to Select Preferred Default Browser

March 20, 2019Swati Khandelwal
Google announced some major changes for its Android mobile operating system in October after the European Commission hit the company with a record $5 billion antitrust fine for pre-installing its own apps and services on third-party Android phones. The European Commission accused Google of forcing Android phone manufacturers to "illegally" tie its proprietary apps and services—specifically, Chrome and Google Search as the default browsers—to Android, unfairly blocking competitors from reaching consumers. This rule led Google to change the way it licenses the Google mobile application suite to Android smartphone makers. Now, Google is further making some changes related to browser and search engine choice. In a blog post published Tuesday, Google announced that the company would prompt Android phone owners in Europe (new and existing ones) in the coming months to choose from a variety of web browsers and search engines for their devices as their default apps. &
New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild

New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild

March 06, 2019Mohit Kumar
You must update your Google Chrome immediately to the latest version of the web browsing application. Security researcher Clement Lecigne of Google's Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers. The vulnerability, assigned as CVE-2019-5786 , affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux. Without revealing technical details of the vulnerability, the Chrome security team only says the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser, which leads to remote code execution attacks. What's more worrisome? Google warned that this zero-day RCE vulnerability is actively being exploited in the wild by attackers to target Chrome users. "Access to bug details and links may be kept restricted until a majo
Thousands of Google Chromecast Devices Hijacked to Promote PewDiePie

Thousands of Google Chromecast Devices Hijacked to Promote PewDiePie

January 03, 2019Mohit Kumar
A group of hackers has hijacked tens of thousands of Google's Chromecast streaming dongles, Google Home smart speakers and smart TVs with built-in Chromecast technology in recent weeks by exploiting a bug that's allegedly been ignored by Google for almost five years. The attackers, who go by Twitter handles @HackerGiraffe and @j3ws3r, managed to hijack Chromecasts' feeds and display a pop-up, spreading a security warning as well as controversial YouTube star PewDiePie propaganda. The hackers are the same ones who hijacked more than 50,000 internet-connected printers worldwide late last year by exploiting vulnerable printers to print out flyers asking everyone to subscribe to PewDiePie YouTube channel. This time, the hackers remotely scanned the internet for compatible devices, including Chromecasts, exposed to the internet through poorly configured routers that have Universal Plug and Play [UPnP] enabled by default. The hackers then exploited a design flaw in Chrome
Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

January 03, 2019Swati Khandelwal
Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users' device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities. The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates 'User Agent' string containing the Android version number and build tag information, which includes device name and its firmware build. This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running. For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36 Yakov Shafranovich, a contributor at Nightwatch Cybersecurity firm, initially reported this issue to Google three years a
Microsoft building Chrome-based browser to replace Edge on Windows 10

Microsoft building Chrome-based browser to replace Edge on Windows 10

December 04, 2018Mohit Kumar
It is no secret how miserably Microsoft's 3-year-old Edge web browser has failed to compete against Google Chrome despite substantial investment and continuous improvements. According to the latest round of tech rumors, Microsoft has given up on Edge and reportedly building a new Chromium -based web browser, dubbed project codename " Anaheim " internally, that will replace Edge on Windows 10 operating system as its new default browser, a journalist at WindowsCentral learned. Though there is no mention of Project Anaheim on the Microsoft website as of now (except Anaheim Convention Center at California), many speculate that the new built-in browser could appear in the 19H1 development cycle of Microsoft's Insider Preview program. According to the report, the new browser will be powered by Blink rendering engine used by Chromium, one that also powers Google's Chrome browser, instead of Microsoft's own EdgeHTML engine. Chromium is an open-source Web b
Google Will Charge Android Phone Makers to Use Its Apps In Europe

Google Will Charge Android Phone Makers to Use Its Apps In Europe

October 17, 2018Mohit Kumar
Would you prefer purchasing an Android device that doesn't have any apps or services from Google? No Google Maps, No Gmail, No YouTube! And NOT even the Google Play Store—from where you could have installed any Android apps you want Because if you live in Europe, from now on, you have to spend some extra cash on a smartphone with built-in Google services, which were otherwise until now freely available and already included in the cost of your smartphone. For the very first time, Google has announced its plans to charge a fee to European Android phone manufacturers who want to include a free version of Google apps on their Android handsets. In short, Android phone makers will now have to pay Google for installing the Play store, Gmail, YouTube, Maps, and Chrome, that are usually considered to be core parts of the Android operating system, but are actually Google services. "Since the pre-installation of Google Search and Chrome together with our other apps helped us
Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

October 15, 2018Swati Khandelwal
All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols. Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers. There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 ( latest )—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as  POODLE  and  BEAST . Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version. All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020
Google Announces 5 Major Security Updates for Chrome Extensions

Google Announces 5 Major Security Updates for Chrome Extensions

October 02, 2018Mohit Kumar
Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users. Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge. However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions. Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions. To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more t
Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

August 16, 2018Mohit Kumar
With the release of Chrome 68, Google prominently marks all non-HTTPS websites as 'Not Secure' on its browser to make the web a more secure place for Internet users. If you haven't yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser. Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website. The vulnerability, identified as CVE-2018-6177 , takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by "Blink Engine," including Google Chrome. To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (loca
From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure'

From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure'

July 24, 2018Mohit Kumar
Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as 'Not Secure' in its years-long effort to make the web a more secure place for Internet users. So if you are still running an insecure HTTP (Hypertext Transfer Protocol) website, many of your visitors might already be greeted with a 'Not Secure' message on their Google Chrome browser warning them that they can't trust your website to be secure. By displaying ' Not Secure ,' Google Chrome means that your connection is not secure because there is no SSL Certificate to encrypt your connection between your computer and the website's server. So, anything sent over a non-HTTPS connection is in plain text, like your password or payment card information, allowing attackers to snoop or tamper with your data. The non-https connection has been considered dangerous particularly for web pages that transfer sensitive information—like login pages and payment
EU Fines Google Record $5 Billion in Android Antitrust Case

EU Fines Google Record $5 Billion in Android Antitrust Case

July 18, 2018Swati Khandelwal
Google has been hit by a record-breaking $5 billion antitrust fine by the European Union regulators for abusing the dominance of its Android mobile operating system and thwarting competitors. That's the largest ever antitrust penalty. Though Android is an open-source and free operating system, device manufacturers still have to obtain a license, with certain conditions, from Google to integrate its Play Store service within their smartphones. The European Commission levied the fine Wednesday, saying that Google has broken the law by forcing Android smartphone manufacturers to pre-install its own mobile apps and services, like Google Search, Chrome, YouTube, and Gmail, as a condition for licensing. This tactic eventually gives Google's app and services an unfair preference over other rival services, preventing rivals from innovating and competing, which is "illegal under EU antitrust rules." Google's Android operating system runs on more than 80 percen
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.