#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Google+ | Breaking Cybersecurity News | The Hacker News

Google's Privacy Sandbox Accused of User Tracking by Austrian Non-Profit

Google's Privacy Sandbox Accused of User Tracking by Austrian Non-Profit

Jun 14, 2024 Privacy / Ad Tracking
Google's plans to deprecate third-party tracking cookies in its Chrome web browser with Privacy Sandbox has run into fresh trouble after Austrian privacy non-profit noyb (none of your business) said the feature can still be used to track users. "While the so-called 'Privacy Sandbox' is advertised as an improvement over extremely invasive third-party tracking, the tracking is now simply done within the browser by Google itself," noyb said . "To do this, the company theoretically needs the same informed consent from users. Instead, Google is tricking people by pretending to 'Turn on an ad privacy feature.'" In other words, by making users agree to enable a privacy feature, they are still being tracked by consenting to Google's first-party ad tracking, the Vienna-based non-profit founded by activist Max Schrems alleged in a complaint filed with the Austrian data protection authority. Privacy Sandbox is a set of proposals put forth by the i
Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Jun 13, 2024 Mobile Security / Vulnerability
Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day. The high-severity vulnerability, tagged as CVE-2024-32896 , has been described as an elevation of privilege issue in Pixel Firmware. The company did not share any additional details related to the nature of attacks exploiting it, but noted "there are indications that CVE-2024-32896 may be under limited, targeted exploitation." The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty.  The updates are available for supported Pixel devices , such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold. Earlier this April, Google resolved
Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia

Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia

Jun 10, 2024 Social Media / Influence Operation
Google has revealed that it took down 1,320 YouTube channels and 1,177 Blogger blogs as part of a coordinated influence operation connected to the People's Republic of China (PRC). "The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs," Google Threat Analysis Group (TAG) researcher Billy Leonard said in the company's quarterly bulletin released last week. The tech giant said it also terminated Ads, AdSense, and Blogger accounts linked to two coordinated influence operations with ties to Indonesia that shared content supportive of the ruling party in the country. Another big cluster dismantled by Google involved a network of 378 YouTube channels that it said originated from a Russian consulting firm and disseminated content that projected Russia in a favorable light and denigrated Ukraine and the West. The company further terminated one AdSense account and blocked 10 domains from showing up in Google News an
cyber security

Start With a Free Risk Assessment to Find, Fix, and Fly Through SaaS Security

websiteWing SecuritySaaS Security / Shadow IT
In just minutes, uncover and take action against hidden SaaS threats with Wing's advanced SSPM solution.
Cybersecurity CPEs: Unraveling the What, Why & How

Cybersecurity CPEs: Unraveling the What, Why & How

Jun 10, 2024Cybersecurity / Exposure Management
Staying Sharp: Cybersecurity CPEs Explained Perhaps even more so than in other professional domains, cybersecurity professionals constantly face new threats. To ensure you stay on top of your game, many certification programs require earning Continuing Professional Education (CPE) credits. CPEs are essentially units of measurement used to quantify the time and effort professionals spend on maintaining and enhancing skills and knowledge in the field of cybersecurity, and they act as points that demonstrate a commitment to staying current. CPEs are best understood in terms of other professions: just like medical, legal and even CPA certifications require continuing education to stay up-to-date on advancements and industry changes, cybersecurity professionals need CPEs to stay informed about the latest hacking tactics and defense strategies. CPE credits are crucial for maintaining certifications issued by various cybersecurity credentialing organizations, such as (ISC)², ISACA, and C
The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

Jun 07, 2024 Artificial Intelligence / Privacy
Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner. The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools. To that end, apps that generate content using AI must ensure they don't create Restricted Content , have a mechanism for users to report or flag offensive information , and market them in a manner that accurately represents the app's capabilities. App developers are also being recommended to rigorously test their AI models to ensure they respect user safety and privacy. "Be sure to test your apps across various user scenarios and safeguard them against prompts that could manipulate your generative AI feature to create harmful or offensive content," Prabhat Sharma, director of trust and safety for Google Play, Android, and Chrome, said . The development com
Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024

Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024

May 24, 2024 Vulnerability / Browser Security
Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild. Assigned the CVE identifier  CVE-2024-5274 , the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024. Type confusion vulnerabilities  occur when a program attempts to access a resource with an incompatible type. It can have  serious consequences  as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code. The development marks the fourth zero-day that Google has patched since the start of the month after  CVE-2024-4671 ,  CVE-2024-4761 , and  CVE-2024-4947 . The tech giant did not disclose additional technical details about the flaw, but  acknowledged  that it "is aware that an exploit for CVE-2024-5274 exists in the wild
Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

May 16, 2024 Browser Security / Vulnerability
Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier  CVE-2024-4947 , the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris Larin on May 13, 2024. Type confusion vulnerabilities  arise when a program attempts to access a resource with an incompatible type. It can have  serious impacts  as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code. The development marks the third zero-day that Google has patched within a week after  CVE-2024-4671  and  CVE-2024-4761 . As is typically the case, no additional details about the attacks are available and have been withheld to prevent further exploitation. "Google is aware that an exploit for CVE-2024-4947 exists in the wild," the company  said .
New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

May 14, 2024 Vulnerability / Zero Day
Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild. The high-severity vulnerability, tracked as  CVE-2024-4761 , is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024. Out-of-bounds write bugs  could be typically exploited by malicious actors to corrupt data, or induce a crash or execute arbitrary code on compromised hosts. "Google is aware that an exploit for CVE-2024-4761 exists in the wild," the tech giant  said . Additional details about the nature of the attacks have been withheld to prevent more threat actors from weaponizing the flaw. The disclosure comes merely days after the company patched  CVE-2024-4671 , a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks. With the latest fix, Google has addressed a total of six zero-days since the sta
Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices

Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices

May 14, 2024 Location Tracking / Privacy
Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent. "This will help mitigate the misuse of devices designed to help keep track of belongings," the companies said in a joint statement, adding it aims to address "potential risks to user privacy and safety." The proposal for a cross-platform solution was  originally unveiled  exactly a year ago by the two tech giants. The capability – dubbed " Detecting Unwanted Location Trackers " (DULT) – is available in Android devices running versions 6.0 and later, and iOS devices with iOS 17.5, which was officially shipped yesterday. As part of the industry specification, Android users will  receive  a "Tracker traveling with you" alert if an unidentified Bluetooth tracking device is detected as moving along with them over
Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

May 07, 2024 Online Security / Data Breach
Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called 2-Step Verification ( 2SV ), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication. "This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company  said . "Previously, users had to enable 2SV with a phone number before being able to add Authenticator." Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a F
Google Announces Passkeys Adopted by Over 400 Million Accounts

Google Announces Passkeys Adopted by Over 400 Million Accounts

May 03, 2024 Passwordless / Encryption
Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times  over the past two years . "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google,  said . The search giant notes that passkeys are already used for authentication on Google Accounts more often than legacy forms of two-factor authentication, such as SMS one-time passwords (OTPs) and app based OTPs combined. In addition, the company said it's expanding  Cross-Account Protection , which alerts of suspicious events with third-party apps and services connected to a user's Google Account, to include more apps and services. Google is also expected to support the use of passkeys for high-risk users as part of its Advanced Protection Program (APP), which aims to safeguard people from
Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny

Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny

Apr 25, 2024 Technology / Privacy
Google has once again  pushed its plans  to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the new timeline, it aims to start phasing out third-party cookies early next year, making it the third such extension since the tech giant  announced  the plans in 2020, postponing it from  early 2022 to late 2023 , and again to the  second half of 2024 . Privacy Sandbox refers to a  set of initiatives  that offers privacy-preserving alternatives to tracking cookies and cross-app identifiers in order to serve tailored ads to users. While Google has since  enabled  the features to a subset of Chrome browser users as of last year, the U.K. watchdog, alongside the Information Commissioner's Of
Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks

Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks

Apr 08, 2024 Software Security / Cybersecurity
Google has announced support for what's called a  V8 Sandbox  in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 security technical lead Samuel Groß,  aims  to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has  described  V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine that's designed to mitigate common V8 vulnerabilities. The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox") and isolating it from the rest of the process. Shortcomings affecting V8 have accounted for a significant chunk of the zero-day vulnerabilities that Google has  addressed  between  2021  and  2023 , with as many as 16 security flaws discovered over the time period. "The sandbox assumes that an attacker can arbitrarily and conc
Google Sues App Developers Over Fake Crypto Investment App Scam

Google Sues App Developers Over Fake Crypto Investment App Scam

Apr 08, 2024 Investment Scam / Mobile Security
Google has filed a lawsuit in the U.S. against two app developers for allegedly engaging in an "international online consumer investment fraud scheme" that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns. The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively. The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses. "The gains conveyed by the apps were illusory," the tech giant said in its complaint. "And the scheme did not end there." "Instead, when individual victims attempted to withdraw their balances, defendants and their co
Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Apr 03, 2024 Mobile Security / Zero Day
Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows - CVE-2024-29745  - An information disclosure flaw in the bootloader component CVE-2024-29748  - A privilege escalation flaw in the firmware component "There are indications that the [vulnerabilities] may be under limited, targeted exploitation," Google  said  in an advisory published April 2, 2024. While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they "are being actively exploited in the wild by forensic companies." "CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," they  said  in a series of posts on X (formerly Twitter). "Forensic companies are rebooting devices in After First U
Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

Apr 02, 2024 Browser Security / Data Security
Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser. The  class action , filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "incognito" or "private" mode on web browsers like Chrome. In late December 2023, it  emerged  that the company had consented to settle the lawsuit. The deal is currently pending approval by the U.S. District Judge Yvonne Gonzalez Rogers. "The settlement provides broad relief regardless of any challenges presented by Google's limited record keeping," a court filing on April 1, 2024, said. "Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members' private
Google Introduces Enhanced Real-Time URL Protection for Chrome Users

Google Introduces Enhanced Real-Time URL Protection for Chrome Users

Mar 15, 2024 Browser Security / Phishing Attack
Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites. "The  Standard protection mode for Chrome  on desktop and iOS will check sites against Google's server-side list of known bad sites in real-time," Google's Jonathan Li and Jasika Bawa  said . "If we suspect a site poses a risk to you or your device, you'll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts." Up until now, the Chrome browser used a locally-stored list of known unsafe sites that's updated every 30 to 60 minutes, and then leveraging a  hash-based approach  to compare every site visited against the database. Google  first revealed  its plans to switch to real-time server-side checks without sharing users' browsing history with the company in September 2023. The reason for the change, the search giant said, is motivated b
Researchers Highlight Google's Gemini AI Susceptibility to LLM Threats

Researchers Highlight Google's Gemini AI Susceptibility to LLM Threats

Mar 13, 2024 Large Language Model / AI Security
Google's  Gemini  large language model (LLM) is susceptible to security threats that could cause it to divulge system prompts, generate harmful content, and carry out indirect injection attacks. The findings come from HiddenLayer, which said the issues impact consumers using Gemini Advanced with Google Workspace as well as companies using the LLM API. The first vulnerability involves getting around security guardrails to leak the system prompts (or a system message), which are designed to set conversation-wide instructions to the LLM to help it generate more useful responses, by asking the model to output its "foundational instructions" in a markdown block. "A system message can be used to inform the LLM about the context," Microsoft  notes  in its documentation about LLM prompt engineering. "The context may be the type of conversation it is engaging in, or the function it is supposed to perform. It helps the LLM generate more appropriate responses.&qu
Ex-Google Engineer Arrested for Stealing AI Technology Secrets for China

Ex-Google Engineer Arrested for Stealing AI Technology Secrets for China

Mar 07, 2024 Artificial Intelligence / Corporate Espionage
The U.S. Department of Justice (DoJ) announced the indictment of a 38-year-old Chinese national and a California resident for allegedly stealing proprietary information from Google while covertly working for two China-based tech companies. Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on March 6, 2024, "transferred sensitive Google trade secrets and other confidential information from Google's network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry," the DoJ  said . The defendant is said to have pilfered from Google over 500 confidential files containing artificial intelligence (AI) trade secrets with the goal of passing them on to two unnamed Chinese companies looking to gain an edge in the ongoing AI race. "While Linwei Ding was employed as a software engineer at Google, he was secretly working to enrich himself and two companies based in the People's Republic of China," sa
Expert Insights
Cybersecurity Resources