The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: browser hacking

Google Announces 5 Major Security Updates for Chrome Extensions

Google Announces 5 Major Security Updates for Chrome Extensions

October 02, 2018Mohit Kumar
Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users. Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge. However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions. Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions. To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more t
Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser

Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser

November 30, 2017Swati Khandelwal
Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser. Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies. After the world's most popular torrent download website, The Pirate Bay , caught secretly  using Coinhive , a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads. However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining. Un
How One Photo Could Have Hacked Your WhatsApp and Telegram Accounts

How One Photo Could Have Hacked Your WhatsApp and Telegram Accounts

March 15, 2017Swati Khandelwal
Next time when someone sends you a photo of a cute cat or a hot chick on WhatsApp or Telegram then be careful before you click on the image to view — it might hack your account within seconds. A new security vulnerability has recently been patched by two popular end-to-end encrypted messaging services — WhatsApp and Telegram — that could have allowed hackers to completely take over user account just by having a user simply click on a picture. The hack only affected the browser-based versions of WhatsApp and Telegram, so users relying on the mobile apps are not vulnerable to the attack. According to Checkpoint security researchers, the vulnerability resided in the way both messaging services process images and multimedia files without verifying that they might have hidden malicious code inside. For exploiting the flaw, all an attacker needed to do was sending the malicious code hidden within an innocent-looking image. Once the victim clicked on the picture, the attacker coul
Browser AutoFill Feature Can Leak Your Personal Information to Hackers

Browser AutoFill Feature Can Leak Your Personal Information to Hackers

January 11, 2017Swati Khandelwal
Just like most of you, I too really hate filling out web forms, especially on mobile devices. To help make this whole process faster, Google Chrome and other major browsers offer "Autofill" feature that automatically fills out web form based on data you have previously entered in similar fields. However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties. Finnish web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the autofill feature provided by most browsers, plugins, and tools such as Password Managers. Although, this trick was first discovered by Ricardo Martin Rodriguez , Security Analyst at ElevenPaths, in the year 2013, but it seems Google haven't done anything to address weakness in Autofill feature. The proof-of-concept demo website consists of a simple online
Hackers WIN $1 Million Bounty for Remotely Hacking latest iOS 9 iPhone

Hackers WIN $1 Million Bounty for Remotely Hacking latest iOS 9 iPhone

November 02, 2015Swati Khandelwal
Well, here's some terrible news for all Apple iOS users… Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9. Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium , a startup by French-based company Vupen that Buys and Sells zero-day exploits. And Guess what, in How much? $1,000,000. Yes, $1 Million. Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through: A web page on Safari or Chrome browser, In-app browsing action, or Text message or MMS. Zerodium's Founder Chaouki Bekrar confirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit. NO More Fun. It's Serious Threat to iOS Use
Here's How Websites Are Tracking You Online

Here's How Websites Are Tracking You Online

October 28, 2015Swati Khandelwal
Webmasters can track all your activities on the Internet – even if you have already cleared your browsing history and deleted all saved cookies. A researcher demonstrated two unpatched flaws that can be exploited to track Millions of Internet users, allowing malicious website owners: List Building: To compile a list of visited domains by users, even if they have cleared their browsing history Tracking Cookies: To tag users with a tracking cookie that will persist even after they have deleted all cookies These two Browser Fingerprinting techniques abuse HTTP Strict Transport Security (HSTS) and Content Security Policy – new security features already built into Mozilla Firefox and Google Chrome, and expected to make their ways to other mainstream browsers in near future. WHAT IF, The Website owners turn these Security features against You? A security researcher has proved exactly the same last weekend at Toorcon security conference in San Diego. Yan Zhu, an
This Malware Can Delete and Replace Your Entire Chrome Browser with a lookalike

This Malware Can Delete and Replace Your Entire Chrome Browser with a lookalike

October 20, 2015Swati Khandelwal
Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome , in a way that you will not notice any difference while browsing. The new adware software, dubbed " eFast Browser ," works by installing and running itself in place of Google Chrome The adware does all kinds of malicious activities that we have seen quite often over the years: Generates pop-up, coupon, pop-under and other similar ads on your screen Placing other advertisements into your web pages Redirects you to malicious websites containing bogus contents Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft. What's Nefariously Intriguing About this Adware? The thing that makes this Adware different from others is that instead of taking contr
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

March 22, 2015Mohit Kumar
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean secur
WebRTC Vulnerability leaks Real IP Addresses of VPN Users

WebRTC Vulnerability leaks Real IP Addresses of VPN Users

February 03, 2015Mohit Kumar
An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication) , an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins. AFFECTED PRODUCTS Late last month, security researchers revealed a massive security flaw that enables website owner to easily see the real IP addresses of users through WebRTC , even if they are using a VPN or even PureVPN to mask their real IP addresses. The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability. HOW DOES THE WebRTC FLAW WORKS WebRTC allows requests to be made to STUN (Session Traversal Utilities for NAT) servers which return the "hidden" home IP-address as well as local network addresses for the system that is being used by the user. The results of t
LOL, Jar File Malware Just Goes Viral Through Facebook Messages

LOL, Jar File Malware Just Goes Viral Through Facebook Messages

May 14, 2014Swati Khandelwal
If you came across any suspicious Facebook message with ‘ LOL ’ text or a fake Image file send by any of your Facebook friend, avoid clicking it. A Trojan horse is currently circulating in wild through the Facebook social network that could steal your Facebook account data and Credentials. Security researchers spotted  this malware campaign first in the beginning of March this year, where the Trojan spreads itself through the Facebook’s Messenger service (inbox) by messaging a victim pretending to be one of their friends saying "LOL" with a zip file attached, which appears to be a photo, named " IMG_xxxx.zip ". In Past two weeks, many of our readers informed us that they received similar ZIP files from their trusted Facebook friends. The Hacker News team also noticed that despite after several warnings in media, once again the malware campaign just goes viral like any other video scam , but this time directly through users’ inbox-to-inbox. HOW DOES
Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections

Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections

May 12, 2014Swati Khandelwal
Visiting a website certified with an SSL certificate doesn’t mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user’s computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites. Today hackers and cyber criminals are using every tantrum to steal users’ credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well. DETECTING FAKE DIGITAL CERTIFICATES WIDELY A Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson , from the Carnegie Mellon University in collaboration with Facebook have analyzed [ PDF ] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certificates i.e. self-signed di
LinkedIn Hack Tool Exposes Users' Emails without Exploiting Any Vulnerability

LinkedIn Hack Tool Exposes Users' Emails without Exploiting Any Vulnerability

April 03, 2014Anonymous
A Free Chrome, Firefox and Safari web browser plugin floating around the web, called ' Sell Hack ' allows users to view the hidden email address of any LinkedIn user, means anyone can grab email addresses that we use for professional purposes. When installed, the ' Sell Hack ' plugin will pop up a ' Hack In ' button on LinkedIn profiles and further automatically mines email addresses of LinkedIn users. NOT A SECURITY BREACH It's not a Security breach, LinkedIn has confirmed that no LinkedIn data has been compromised, but rather this free extension rely on an algorithm that checks publicly available data in order to guess users’ email addresses. So without exploiting any loophole or vulnerability, Sell Hack is capable of predicting users' email addresses with OSINT (Open-Source Intelligence) techniques i.e. information collected from publicly available sources. It is also possible that, the Sell Hack extension is gathering data from
Facebook 'Watch naked video of friends' malware scam infects 2 million people

Facebook 'Watch naked video of friends' malware scam infects 2 million people

March 08, 2014Wang Wei
We have seen a lot of Facebook malware and virus infections spreading through friends list, and this time a new clickjacking scam campaign is going viral on Facebook. Hackers spam Facebook timeline with a friend's picture and " See (Friend)'s naked video," or "(Friend Name's) Private Video. " The Picture appears to be uploaded by a friend and definitely, you might want to see some of your Facebook friends naked, But Beware!  If you get curious and click, you will be redirected to a malicious website reports that your Flash Player is not working properly and needs to be re-installed. But in actuality it will install a malware in your system and once approved, several disguised thing can happen to you. It further installs a malicious  browser extension to spread the scam and steal users’ photos. " When the link is clicked, users are sent to a very realistic-looking mockup of a YouTube page, where the hackers will try to imme
Google Chrome added pop-up warning to prevent users from Browser hijacking

Google Chrome added pop-up warning to prevent users from Browser hijacking

February 04, 2014Anonymous
GOOGLE, one of the most trusted brands continuously trying to keep its products more robust and secure for keeping its users safe. Google honors vulnerability hunters under its Bug bounty program and not only that, the company also offer a huge amount of reward to hackers in ' Pwnium ' hacking competition for finding critical vulnerability. Google Chrome , Browser from Google product family, has been added with a new feature that it will warn the user whenever browser’s setting get altered by any malware . Browser hijacking is the modification of browser's settings, and the term " hijacking " is used when the changes performed without the user's permission. A browser hijacker may replace the existing home page, error page, or search page with its own. These are generally used to force hits to a particular website, increasing its advertising revenue i.e. Click jacking and Adware . A hijacker uses malicious software to change your internet s
Adware Companies buying popular Chrome extensions to inject Ads and Malware

Adware Companies buying popular Chrome extensions to inject Ads and Malware

January 20, 2014Wang Wei
Browser extensions are extra features and functionality that you can easily add to Google Chrome, Firefox and other popular Browsers, but they can be used to serve malicious adware , which automatically renders advertisements in order to generate revenue for its author.  Hackers are now taking their business rather more seriously than we thought. Even a single instance of malicious adware on your PC can inject bad ads or malware to your browser. Ads are a legitimate way to monetize. However, creating and spreading a fresh add-on to get a large user base is always tough, but now adware companies found a new trick i.e. Buying trusted browser extensions with a large user-base and exploiting their auto-update status to push out adware. Recently, the developer of ‘ Add to Feedly ’ Chrome extension with 30,000+ users, Amit Agarwal , was approached by some mysterious buyers. “ It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal ,” he said . &quo
Mozilla recommends the use of Open Source Browsers against State Surveillance

Mozilla recommends the use of Open Source Browsers against State Surveillance

January 14, 2014Swati Khandelwal
After the revelations from NSA internal documents leaked by Edward Snowden, the world knows the NSA as the Real Techie Gangster of this 21st Century, with the ability to brutally infiltrate every kind of electronic device, the Internet, and global communications.  " It is becoming increasingly difficult to trust the privacy properties of software and services we rely on to use the Internet. Governments, companies, groups and individuals may be surveilling us without our knowledge. " The Inventor of JavaScript & current CTO of Mozilla, Mr. Brendan Eich said in a blog post NSA is not just focused on high-tech exploits, but also specialize in inserting secret backdoor to legitimate products. Its Tailored Access Operations (TAO) unit works with the CIA and FBI to intercept shipments of hardware to insert spyware into the devices. This way NSA is able to keep an eye on all levels of our digital lives, from computing centers to individual computers, and from laptops to mobi
Master Password Protection added to Google Chrome's Password Manager

Master Password Protection added to Google Chrome's Password Manager

December 05, 2013Mohit Kumar
Just like other Web Browsers, The Google Chrome also offers a password manager feature that can save your logins and basic information for automatic form-filling. The Google Chrome browser stores all your passwords in the plain text format and is available for access by opening the following URL in your Chrome browser – “ chrome : //settings/passwords ”. Unlike Firefox , till now Google Chrome was not offering any Master Protection. Finally Google has implemented a Master Password protection on Chrome password manager in Windows and Mac. Now you have to enter your Windows account password to reveal the saved passwords. The protection will be lifted for a minute, after entering the password, and after that user need to re-login. Previously, Google was criticized many times for such bad password storage Practice because there is no master password, no security, not even a prompt that “ these passwords are visible ” and this allows anyone with access to a user's c
DDoS attack from Browser-based Botnets that lasted for 150 hours

DDoS attack from Browser-based Botnets that lasted for 150 hours

November 14, 2013Anonymous
Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate. By the time you notice that something`s wrong, your perimeter has already been breached, your servers were brought down, and there is little left to do but to hang up and move on. So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser? Some common bot filtering methods, which usually rely on sets of Progressive Challenges , are absolutely useless against bots that can retain cookies and execute JavaScripts. The alternative to indiscriminately flashing CAPTCHA’s for anyone with a browser is nothing less than a self-inflicted disaster - especially when the attacks can go on for weeks a
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.