The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Google+

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

July 28, 2022Ravie Lakshmanan
Google on Wednesday said it's once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. "The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox,  said . In keeping this in mind, the internet and ad tech giant said it's taking a "deliberate approach" and  extending the testing window  for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies. Cookies are pieces of data planted on a user's computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads. Privacy Sandbox is Google's umbrella term for a set of technologies
Google Bringing the Android App Permissions Section Back to the Play Store

Google Bringing the Android App Permissions Section Back to the Play Store

July 22, 2022Ravie Lakshmanan
Google on Thursday said it's backtracking on a  recent change  that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web. "Privacy and transparency are core values in the Android community," the Android Developers team  said  in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it. The app permissions section will be back shortly." To that end, in addition to showcasing the new Data safety section that offers users a simplified summary of an app's data collection, processing, and security practices, Google also intends to highlight all the permissions required by the app to make sense of its "ability to access specific restricted data and actions." The reinstatement comes as the internet giant moved to swap out the apps permission section with the newer Data safety labels last week ahead of the
Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

July 15, 2022Ravie Lakshmanan
Following the launch of a new "Data safety" section for Android apps on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was  highlighted  by Esper's Mishaal Rahman earlier this week. The  Data safety  section, which Google began rolling out in late April 2022, is the company's answer to Apple's Privacy Nutrition Labels in iOS, allowing users to have a unified view of an app's data collection and processing practices. To that end, third-party app developers are required to furnish the required details by July 20, 2022. With this deadline now approaching next week, the tech giant has taken the step of entirely removing the permissions section. The decision also appears to be a hasty one, as a number of popular apps such as Facebook, Messenger, Instagram, WhatsApp, Amazon (including Amazon Prime Video), DuckDuckGo, Discord, and PhonePe are yet to populate their Data safety sec
Google Improves Its Password Manager to Boost Security Across All Platforms

Google Improves Its Password Manager to Boost Security Across All Platforms

July 01, 2022Ravie Lakshmanan
Google on Thursday announced a slew of improvements to its  password manager  service aimed at creating a more consistent look and feel across different platforms. Central to the changes is a "simplified and unified management experience that's the same in Chrome and Android settings," Ali Sarraf, Google Chrome product manager,  said  in a blog post. The updates are also expected to automatically group multiple passwords for the same sites as well as introduce an option to manually add passwords. Although Google appears to be not ready yet to make Password Manager as a standalone app, users on Android can now add a shortcut to it on the homescreen. In a related change on iOS, should users opt for Chrome as the  default autofill provider , Password Manager now comes with the ability to generate unique, strong passwords. The built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further hig
Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups

Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups

June 30, 2022Ravie Lakshmanan
Google's Threat Analysis Group (TAG) on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. In a manner analogous to the  surveillanceware ecosystem , hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users. Where the two stand apart is that while customers purchase the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to conduct the intrusions on their clients' behalf in order to obscure their role. "The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," Shane Huntley, director of Google TAG,  said  in a report. "Some hack-for-hire attackers openly adver
U.S. FCC Commissioner Asks Apple and Google to Remove TikTok from App Stores

U.S. FCC Commissioner Asks Apple and Google to Remove TikTok from App Stores

June 30, 2022Ravie Lakshmanan
One of the commissioners of the U.S. Federal Communications Commission (FCC) has renewed calls asking for Apple and Google to boot the popular video-sharing platform TikTok from their app stores citing "its pattern of surreptitious data practices." "It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing's apparently unchecked access to that sensitive data," Brendan Carr, a Republican member of the FCC,  wrote  in a letter to Apple and Google's chief executives. TikTok, in September 2021,  disclosed  that there are one billion people who use its app every month, making it one of the largest social media platforms after Facebook, YouTube, WhatsApp, Instagram, and WeChat. Carr further emphasized that the short-form video service is far from just an app for sharing funny videos or memes, calling out its features as "sheep's clothing" intended to mask its core funct
Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

June 24, 2022Ravie Lakshmanan
A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in  Google Play Protect  — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG)  said  in a Thursday report. Hermit, the work of an Italian vendor named RCS Lab, was  documented  by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages. Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, besides abusing its permissions to accessibility services on Android to keep tabs on various foreground apps used by the victims. Its modularity also enab
Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

May 26, 2022Ravie Lakshmanan
Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns. "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru  said  in a new report published Wednesday. "The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling." The U.S. cybersecurity company said it observed command-and-control (C2) IP addresses associated with malware such as  Bumblebee ,  BlackGuard , and  RedLine Stealer  establishing connections to the downloads subdomain of Bablosoft ("downloads.bablosoft[.]com"), the maker of the Browser Automation Studio (BAS). Bablosoft was previously
New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

May 24, 2022Ravie Lakshmanan
Popular video conferencing service Zoom has  resolved  as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol ( XMPP ) messages and execute malicious code. Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022. The list of bugs is as follows - CVE-2022-22784  (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings CVE-2022-22785  (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings CVE-2022-22786  (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows CVE-2022-22787  (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings With Zoom's chat functionality built on top
Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits

Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits

May 20, 2022Ravie Lakshmanan
Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell  said . Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns. The commercial surveillance company is the maker of  Predator , an implant  analogous  to that of NSO Group's  Pegasus , and is known to hav
High-Severity Bug Reported in Google's OAuth Client Library for Java

High-Severity Bug Reported in Google's OAuth Client Library for Java

May 19, 2022Ravie Lakshmanan
Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads. Tracked as  CVE-2021-22573 , the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature. Credited with discovering and reporting the flaw on March 12 is  Tamjid Al Rahat , a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google's bug bounty program. "The vulnerability is that the IDToken verifier does not verify if the token is properly signed," an  advisory  for the flaw reads. "Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on
Google Created 'Open Source Maintenance Crew' to Help Secure Critical Projects

Google Created 'Open Source Maintenance Crew' to Help Secure Critical Projects

May 13, 2022Ravie Lakshmanan
Google on Thursday  announced  the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out  Open Source Insights  as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers can understand how their software is put together and the consequences to changes in their dependencies," the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a  string  of  supply chain   attacks  designed to compromise developer workflows. In December 2021, a critical flaw in the ubiquitous open source  Log4j logging library  left several companies scrambling to patch their systems against potential abuse. The announcement also comes less than
Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

May 12, 2022Ravie Lakshmanan
Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome. "When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number," Google's Jen Fitzpatrick  said  in a statement. The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from  skimming attacks  wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market. The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer. Interestingly, while Apple offers an option to mask email addresses via  Hide My Email , which enables users to create unique, random email addresses to use with apps
Google Releases Android Update to Patch Actively Exploited Vulnerability

Google Releases Android Update to Patch Actively Exploited Vulnerability

May 05, 2022Ravie Lakshmanan
Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as  CVE-2021-22600  (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service. The issue relates to a  double-free vulnerability  residing in the  Packet  network protocol implementation in the Linux kernel that could cause memory corruption, potentially leading to denial-of-service or execution of arbitrary code. Patches were released by different Linux distributions, including  Debian ,  Red Hat ,  SUSE , and  Ubuntu  in December 2021 and January 2022. "There are indications that CVE-2021-22600 may be under limited, targeted exploitation," Google  noted  in its Android Security Bulletin for May 2022. Specifics about the nature of the attacks are
Google to Add Passwordless Authentication Support to Android and Chrome

Google to Add Passwordless Authentication Support to Android and Chrome

May 05, 2022Ravie Lakshmanan
Google today announced  plans  to implement support for passwordless logins in Android and the Chrome web browser to allow users to seamlessly and securely sign in across different devices and websites irrespective of the platform. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password," Google  said . Apple and Microsoft are also expected to extend the support to iOS, macOS, and Windows operating systems as well as Safari and Edge browsers. The common Fast IDentity Online ( FIDO ) sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application. This is made possible by storing a cryptographically-secured FIDO credential called a passkey on the phone that's used to log in to the online account after unlocking the device. "Once you've done this, you won't need your phone again a
Google Releases First Developer Preview of Privacy Sandbox on Android 13

Google Releases First Developer Preview of Privacy Sandbox on Android 13

May 01, 2022Ravie Lakshmanan
Google has officially  released  the first developer preview for the Privacy Sandbox on Android 13, offering an "early look" at the SDK Runtime and Topics API to boost users' privacy online. "The Privacy Sandbox on Android Developer Preview program will run over the course of 2022, with a beta release planned by the end of the year," the search giant  said  in an overview. A "multi-year effort,"  Privacy Sandbox  on Android aims to create technologies that's both privacy-preserving as well as keep online content and services free without having to resort to opaque methods of digital advertising. The idea is to limit sharing of user data with third-parties and operate without cross-app identifiers, including advertising ID, a unique, user-resettable string of letters and digits that can be used to track users as they move between apps. Google originally  announced  its plans to bring Privacy Sandbox to Android earlier this February, following
Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

May 01, 2022Ravie Lakshmanan
The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the  Package Analysis  project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software. "The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?," the OpenSSF  said . "The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously," the foundation's Caleb Brown and David A. Wheeler added. In a test run that lasted a month, the tool ide
Google's New Safety Section Shows What Data Android Apps Collect About Users

Google's New Safety Section Shows What Data Android Apps Collect About Users

April 27, 2022Ravie Lakshmanan
Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties. "Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy,  said . "In addition, users want to understand how app developers are securing user data after an app is downloaded." The transparency measure, which is built along the lines of Apple's " Privacy Nutrition Labels ," was  first announced  by Google nearly a year ago in May 2021. The Data safety section, which will show up against every app listing on the digital storefront, presents a unified view of what data is being collected, for what purpose it's being used, and how it's handled, while also highlighting what data is being shared with thi
Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

April 21, 2022Ravie Lakshmanan
Three security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices. According to Israeli cybersecurity company Check Point , the issues could be used as a launchpad to carry out remote code execution (RCE) attacks simply by sending a specially crafted audio file. "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera," the researchers said in a report shared with The Hacker News. "In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." The vulnerabilities, dubbed ALHACK, are rooted in an audio coding format originally developed and open-sourced by Apple i
Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

April 20, 2022Ravie Lakshmanan
Google Project Zero called 2021 a "record year for in-the-wild 0-days," as  58 security vulnerabilities  were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher  Maddie Stone   said . "Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces," Stone added. The tech giant's in-house security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them markedly different for the technical sophistication and use of logic bugs to escape the sandbox. B
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.