The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Google Chrome

Google Enables 'Site Isolation' Feature By Default For Chrome Desktop Users

Google Enables 'Site Isolation' Feature By Default For Chrome Desktop Users

July 12, 2018Mohit Kumar
Google has by default enabled a security feature called "Site Isolation" in its web browser with the release of Chrome 67 for all desktop users to help them protect against many online threats, including Spectre and Meltdown attack . Site Isolation is a feature of the Google Chrome web browser that adds an additional security boundary between websites by ensuring that different sites are always put into separate processes, isolated from each other. Since each site in the browser gets its own sandboxed process, the feature makes it harder for untrusted websites to access or steal information of your accounts on other websites. In January this year when Google Project Zero researchers disclosed details of Spectre and Meltdown CPU vulnerabilities, the tech giant recommended Chrome desktop users to manually turn on Site Isolation feature on their devices to mitigate speculative side-channel attacks. "Even if a Spectre attack were to occur in a malicious web page,
Update Google Chrome Immediately to Patch a High Severity Vulnerability

Update Google Chrome Immediately to Patch a High Severity Vulnerability

June 06, 2018Mohit Kumar
You must update your Google Chrome now. Security researcher Michał Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux. Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header ( CVE-2018-6148 ) in a blog post published today. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes. Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load. Mishandling of CSP headers by your web brow
Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store

Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store

April 19, 2018Mohit Kumar
If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked. A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users. Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details. Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers. Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them. "All the extensions I've highlighted are simple rip-offs with a few lines of co
Google Bans Cryptocurrency Mining Extensions From Chrome Web Store

Google Bans Cryptocurrency Mining Extensions From Chrome Web Store

April 02, 2018Swati Khandelwal
In an effort to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness, Google has implemented a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency. Over the past few months, we have seen a sudden rise in malicious extensions that appear to offer useful functionality, while embedding hidden cryptocurrency mining scripts that run in the background without the user's knowledge. Last month, cryptocurrency miners were even found in a Russian nuclear weapons lab and on thousands of government websites . In January, cryptocurrency mining malware also infected more than half-million PCs . Until now, only those cryptocurrency mining extensions were allowed on the Chrome Web Store that are solely intended for mining, and explicitly informed users about its working and revenue model. If the company finds any mining extension developers submitted was not in compliance and secre
[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

January 05, 2018Swati Khandelwal
Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years. What are Spectre and Meltdown? We have explained both , Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article. In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information. Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a
Google to Block Third-Party Software from Injecting Code into Chrome Browser

Google to Block Third-Party Software from Injecting Code into Chrome Browser

November 30, 2017Swati Khandelwal
To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser. If you are unaware, many third-party applications, like accessibility or antivirus software, inject code into your web browser for gaining more control over your online activities in order to offer some additional features and function properly. However, Google notes that over 15 percent of Chrome users running third-party applications on their Windows machines that inject code into their web browsers experience crashes—and trust me it's really annoying. But don't you worry. Google now has a solution to this issue. In a blog post published Thursday on Chromium Blog, Google announced its plan to block third-party software from injecting code into Chrome—and these changes will take place in three steps: April 2018 — With the release of Chrome 66, Google will begin informing use
Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing

Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing

November 01, 2017Wang Wei
Ever since the launch of Windows 10, Microsoft has been heavily pushing its Edge browser, claiming it to be the best web browser over its competitors like Mozilla Firefox, Opera and Google Chrome in terms of speed and battery performance. However, Microsoft must admit that most users make use of Edge or Internet Explorer only to download Chrome, which is by far the world's most popular internet browser. Something hilarious happened recently during a live demonstration when a Microsoft engineer caught on a video switching from Edge to Chrome after the default Windows 10 browser stopped responding in the middle of the presentation. That is really embarrassing. The incident happened in the middle of a Microsoft Ignite conference, where the Microsoft presenter Michael Leworthy was demonstrating how to one can migrate their applications and data to Microsoft Azure cloud service. See what happens in the video below: However, Leworthy was forced to pause his Azure presenta
Someone Hijacks A Popular Chrome Extension to Push Malware

Someone Hijacks A Popular Chrome Extension to Push Malware

July 31, 2017Swati Khandelwal
Phishers have recently hacked an extension for Google Chrome after compromising the Chrome Web Store account of German developer team a9t9 software and abused to distribute spam messages to unsuspecting users. Dubbed Copyfish, the extension allows users to extract text from images, PDF documents and video, and has more than 37,500 users. Unfortunately, the Chrome extension of Copyfish has been hijacked and compromised by some unknown attacker, who equipped the extension with advertisement injection capabilities. However, its Firefox counterpart was not affected by the attack. The attackers even moved the extension to their developer account, preventing its developers from removing the infected extension from the store, even after being spotted that the extension has been compromised. "So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back," the de
Google Chrome Bans Chinese SSL Certificate Authorities WoSign and StartCom

Google Chrome Bans Chinese SSL Certificate Authorities WoSign and StartCom

July 08, 2017Mohit Kumar
As a punishment announced last October, Google will no longer trust SSL/TLS certificate authorities WoSign and its subsidiary StartCom with the launch of Chrome 61 for not maintaining the "high standards expected of CAs." The move came after Google was notified by GitHub's security team on August 17, 2016, that Chinese Certificate Authority WoSign had issued a base certificate for one of GitHub's domains to an unnamed GitHub user without authorization. After this issue had been reported, Google conducted an investigation in public as a collaboration with Mozilla and the security community, which uncovered several other cases of WoSign misissuance of certificates. As a result, the tech giant last year began limiting its trust of certificates backed by WoSign and StartCom to those issued before October 21st, 2016 and has been removing whitelisted hostnames over the course of several Chrome releases since Chrome 56. Now, in a Google Groups post published
Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

May 30, 2017Swati Khandelwal
What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge? Sounds really scary! Isn't it? But this scenario is not only possible but is hell easy to accomplish. A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. How Browsers Works With Camera & Microphone Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols th
Beware! Hackers Can Steal Your Windows Password Remotely Using Chrome

Beware! Hackers Can Steal Your Windows Password Remotely Using Chrome

May 17, 2017Mohit Kumar
A security researcher has discovered a serious vulnerability in the default configuration of the latest version of Google's Chrome running on any version of Microsoft's Windows operating system, including Windows 10, that could allow remote hackers to steal user's login credentials. Researcher Bosko Stankovic of DefenseCode has found that just by visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol. This technique is not new and was exploited by the Stuxnet — a powerful malware that specially designed to destroy Iran's nuclear program — that used the Windows shortcut LNK files to compromise systems. What's make this attack different from others is the fact that such SMB authentication related attacks have been first time demonstrated on Google Chrome publicly, after Internet Explorer (IE) and Edge. Chrome + SCF + SMB = Stealing Windows
This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

April 17, 2017Mohit Kumar
A Chinese infosec researcher has reported about an "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet. He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users. What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right? Okay, then before going to the in-depth details, first have a look at this demo web page  ( note: you may experience downtime due to high traffic on demo server ), set up by Chinese security researcher Xudong Zheng, who discovered the attack. " It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL o
Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam

Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam

February 22, 2017Mohit Kumar
Next time when you accidentally or curiously land up on a website with jumbled content prompting you to download a missing font to read the blog by updating the Chrome font pack… …Just Don't Download and Install It. It's a Trap! Scammers and hackers are targeting Google Chrome users with this new hacking scam that's incredibly easy to fall for, prompting users to download a fake Google Chrome font pack update just to trick them into installing malware on their systems. Here's What the Scam is and How it works: It's a "The 'HoeflerText' font wasn't found" scam. Security firm NeoSmart Technologies recently identified the malicious campaign while browsing an unnamed WordPress website that had allegedly already been compromised, possibly due to failing to apply timely security updates. The scam is not a new one to identified by NeoSmart. It has been making rounds since last month . The hackers are inserting JavaScript into poorl
Google Chrome to Label Sensitive HTTP Pages as "Not Secure"

Google Chrome to Label Sensitive HTTP Pages as "Not Secure"

September 09, 2016Mohit Kumar
Although over three months remaining, Google has planned a New Year gift for the Internet users, who're concerned about their privacy and security. Starting in January of 2017, the world's most popular web browser Chrome will begin labeling HTTP sites that transmit passwords or ask for credit card details as " Not Secure " — the first step in Google's plan to discourage the use of sites that don't use encryption. The change will take effect with the release of Chrome 56 in January 2017 and affect certain unsecured web pages that feature entry fields for sensitive data, like passwords and payment card numbers, according to a post today on the Google Security Blog . Unencrypted HTTP has been considered dangerous particularly for login pages and payment forms, as it could allow a man-in-the-middle attacker to intercept passwords, login session, cookies and credit card data as they travel across the network. In the following release, Chrome will flag
Google makes it mandatory for Chrome Apps to tell Users what Data they collect

Google makes it mandatory for Chrome Apps to tell Users what Data they collect

April 19, 2016Mohit Kumar
In Brief Chrome apps and extensions make things easier, but they can also do terrible things like spy on web users and collect their personal data. But, now Google has updated its browser's User Data Policy requiring all Chrome extension and app developers to disclose what data they collect. Furthermore, developers are prohibited from collecting unnecessary browsing data and must also use encryption when handling sensitive information from users. Around 40 percent of all Google Chrome users have some kind of browser extensions, plugins or add-ons installed, but how safe are they? The company plans to enforce developers starting this summer, to "ensure transparent use of the data in a way that is consistent with the wishes and expectations of users." Google is making its Chrome Web Store safer for its users by forcing developers to disclose how they handle customers' data. Google's new User Data Policy will now force app developers, who use the Chrome We
Google to Speed Up Chrome for Fast Internet Browsing

Google to Speed Up Chrome for Fast Internet Browsing

January 22, 2016Wang Wei
Google is planning to make Chrome faster in order to provide its users fast Internet browsing experience. Thanks to a new, open-source data and web compression algorithm for the Internet called Brotli , which Google announced last year to boost its web page performance. With Brotli, Google will speed up Chrome and users could get a significant performance boost in coming months. Google introduced Brotli last September and claimed that the new algorithm is a "whole new data format" that could reduce file sizes by up to 26 percent higher than Zopfli , the company's three-year-old web compression technology. Net result – Fast Internet Browsing In a post on Google+ on Tuesday, web performance engineer at Google Ilya Grigorik announced that the new algorithm is coming to Chrome soon, which will change the way files are compressed, improving loading speeds by a quarter. Besides faster loading speeds, Brotli also have additional benefits for smartphone users, which
This Malware Can Delete and Replace Your Entire Chrome Browser with a lookalike

This Malware Can Delete and Replace Your Entire Chrome Browser with a lookalike

October 20, 2015Swati Khandelwal
Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome , in a way that you will not notice any difference while browsing. The new adware software, dubbed " eFast Browser ," works by installing and running itself in place of Google Chrome The adware does all kinds of malicious activities that we have seen quite often over the years: Generates pop-up, coupon, pop-under and other similar ads on your screen Placing other advertisements into your web pages Redirects you to malicious websites containing bogus contents Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft. What's Nefariously Intriguing About this Adware? The thing that makes this Adware different from others is that instead of taking contr
Microsoft doesn’t want Windows 10 Users to Switch to Chrome or Firefox

Microsoft doesn't want Windows 10 Users to Switch to Chrome or Firefox

October 19, 2015Swati Khandelwal
Microsoft wants Windows 10 users to use its Edge browser , and the company is pulling every trick out to make it happen. In a newly leaked Windows 10 preview release ( build 10568 ) , Microsoft has added a new prompt that appears whenever you try to switch away from default apps, including Microsoft Edge . Considering the wide adoption of Microsoft's newest operating system Windows 10, it seems that users are still hesitant in adopting Edge browser that comes bundled with  Windows 10 . To help encourage a higher adoption of Microsoft's default apps bundled with Windows 10, the software giant seems to be taking some steps. Come, Give Microsoft Edge A Shot!  If you already have Microsoft Edge as your default browser, then installing another rival browser, such as Google Chrome or Mozilla Firefox , and switching the defaults will make a dialog box with " Give Microsoft Edge a shot " appear. The prompt highlights some of the latest features in
Aw, Snap! This 16-Character String Can Crash Your Google Chrome

Aw, Snap! This 16-Character String Can Crash Your Google Chrome

September 21, 2015Swati Khandelwal
Remember when it took only 13 characters to crash Chrome browser instantly? This time, it takes 16-character simple URL string of text to crash Google Chrome instantly. Yes, you can crash the latest version of Chrome browser with just a simple tiny URL. To do this, all you need to do is follow one of these tricks: Type a 16-character link and hit enter Click on a 16-character link Just put your cursor on a 16-character link Yes, that's right. You don't even have to open or click the malformed link to cause the crash, putting the cursor on the link is enough to crash your Chrome. All the tricks mentioned above will either kill that particular Chrome tab or kill the whole Chrome browser. The issue was discovered by security researcher Andris Atteka , who explained in his blog post that just by adding a NULL char in the URL string could crash Chrome instantly. Atteka was able to crash the browser with a 26 character long string, which is given b
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.