#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

browser hacking | Breaking Cybersecurity News | The Hacker News

Category — browser hacking
Chrome, Firefox, Safari and IE ā€“ All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Mar 22, 2015
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year's hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean secur
WebRTC Vulnerability leaks Real IP Addresses of VPN Users

WebRTC Vulnerability leaks Real IP Addresses of VPN Users

Feb 03, 2015
An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication) , an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins. AFFECTED PRODUCTS Late last month, security researchers revealed a massive security flaw that enables website owner to easily see the real IP addresses of users through WebRTC , even if they are using a VPN or even PureVPN to mask their real IP addresses. The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability. HOW DOES THE WebRTC FLAW WORKS WebRTC allows requests to be made to STUN (Session Traversal Utilities for NAT) servers which return the "hidden" home IP-address as well as local network addresses for the system that is being used by the user. The results of t
How to Get Going with CTEM When You Don't Know Where to Start

How to Get Going with CTEM When You Don't Know Where to Start

Oct 04, 2024Vulnerability Management / Security Posture
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organizations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five distinct stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each of these stages plays a crucial role in identifying, addressing, and mitigating vulnerabilities - before they can be exploited by attackers.  On paper, CTEM sounds great . But where the rubber meets the road – especially for CTEM neophytes - implementing CTEM can seem overwhelming. The process of putting CTEM principles into practice can look prohibitively complex at first. However, with the right tools and a clear understanding of each stage, CTEM can be an effective method for strengthening your organization's security posture.  That's why I've put together a step-by-step guide on which tools to use for which stage. Want to learn more? Read on… Stage 1: Scoping  When you're defin
LOL, Jar File Malware Just Goes Viral Through Facebook Messages

LOL, Jar File Malware Just Goes Viral Through Facebook Messages

May 14, 2014
If you came across any suspicious Facebook message with ' LOL ' text or a fake Image file send by any of your Facebook friend, avoid clicking it. A Trojan horse is currently circulating in wild through the Facebook social network that could steal your Facebook account data and Credentials. Security researchers spotted  this malware campaign first in the beginning of March this year, where the Trojan spreads itself through the Facebook's Messenger service (inbox) by messaging a victim pretending to be one of their friends saying "LOL" with a zip file attached, which appears to be a photo, named " IMG_xxxx.zip ". In Past two weeks, many of our readers informed us that they received similar ZIP files from their trusted Facebook friends. The Hacker News team also noticed that despite after several warnings in media, once again the malware campaign just goes viral like any other video scam , but this time directly through users' inbox-to-inbox. HOW DOES
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections

Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections

May 12, 2014
Visiting a website certified with an SSL certificate doesn't mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user's computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites. Today hackers and cyber criminals are using every tantrum to steal users' credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well. DETECTING FAKE DIGITAL CERTIFICATES WIDELY A Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson , from the Carnegie Mellon University in collaboration with Facebook have analyzed [ PDF ] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certiļ¬cates i.e. self-signed di
LinkedIn Hack Tool Exposes Users' Emails without Exploiting Any Vulnerability

LinkedIn Hack Tool Exposes Users' Emails without Exploiting Any Vulnerability

Apr 03, 2014
A Free Chrome, Firefox and Safari web browser plugin floating around the web, called ' Sell Hack ' allows users to view the hidden email address of any LinkedIn user, means anyone can grab email addresses that we use for professional purposes. When installed, the ' Sell Hack ' plugin will pop up a ' Hack In ' button on LinkedIn profiles and further automatically mines email addresses of LinkedIn users. NOT A SECURITY BREACH It's not a Security breach, LinkedIn has confirmed that no LinkedIn data has been compromised, but rather this free extension rely on an algorithm that checks publicly available data in order to guess users' email addresses. So without exploiting any loophole or vulnerability, Sell Hack is capable of predicting users' email addresses with OSINT (Open-Source Intelligence) techniques i.e. information collected from publicly available sources. It is also possible that, the Sell Hack extension is gathering data from
Facebook 'Watch naked video of friends' malware scam infects 2 million people

Facebook 'Watch naked video of friends' malware scam infects 2 million people

Mar 08, 2014
We have seen a lot of Facebook malware and virus infections spreading through friends list, and this time a new clickjacking scam campaign is going viral on Facebook. Hackers spam Facebook timeline with a friend's picture and " See (Friend)'s naked video," or "(Friend Name's) Private Video. " The Picture appears to be uploaded by a friend and definitely, you might want to see some of your Facebook friends naked, But Beware!  If you get curious and click, you will be redirected to a malicious website reports that your Flash Player is not working properly and needs to be re-installed. But in actuality it will install a malware in your system and once approved, several disguised thing can happen to you. It further installs a malicious  browser extension to spread the scam and steal users' photos. " When the link is clicked, users are sent to a very realistic-looking mockup of a YouTube page, where the hackers will try to imme
Google Chrome added pop-up warning to prevent users from Browser hijacking

Google Chrome added pop-up warning to prevent users from Browser hijacking

Feb 04, 2014
GOOGLE, one of the most trusted brands continuously trying to keep its products more robust and secure for keeping its users safe. Google honors vulnerability hunters under its Bug bounty program and not only that, the company also offer a huge amount of reward to hackers in ' Pwnium ' hacking competition for finding critical vulnerability. Google Chrome , Browser from Google product family, has been added with a new feature that it will warn the user whenever browser's setting get altered by any malware . Browser hijacking is the modification of browser's settings, and the term " hijacking " is used when the changes performed without the user's permission. A browser hijacker may replace the existing home page, error page, or search page with its own. These are generally used to force hits to a particular website, increasing its advertising revenue i.e. Click jacking and Adware . A hijacker uses malicious software to change your internet s
Adware Companies buying popular Chrome extensions to inject Ads and Malware

Adware Companies buying popular Chrome extensions to inject Ads and Malware

Jan 20, 2014
Browser extensions are extra features and functionality that you can easily add to Google Chrome, Firefox and other popular Browsers, but they can be used to serve malicious adware , which automatically renders advertisements in order to generate revenue for its author.  Hackers are now taking their business rather more seriously than we thought. Even a single instance of malicious adware on your PC can inject bad ads or malware to your browser. Ads are a legitimate way to monetize. However, creating and spreading a fresh add-on to get a large user base is always tough, but now adware companies found a new trick i.e. Buying trusted browser extensions with a large user-base and exploiting their auto-update status to push out adware. Recently, the developer of ' Add to Feedly ' Chrome extension with 30,000+ users, Amit Agarwal , was approached by some mysterious buyers. " It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal ," he said . &quo
Mozilla recommends the use of Open Source Browsers against State Surveillance

Mozilla recommends the use of Open Source Browsers against State Surveillance

Jan 14, 2014
After the revelations from NSA internal documents leaked by Edward Snowden, the world knows the NSA as the Real Techie Gangster of this 21st Century, with the ability to brutally infiltrate every kind of electronic device, the Internet, and global communications.  " It is becoming increasingly difficult to trust the privacy properties of software and services we rely on to use the Internet. Governments, companies, groups and individuals may be surveilling us without our knowledge. " The Inventor of JavaScript & current CTO of Mozilla, Mr. Brendan Eich said in a blog post NSA is not just focused on high-tech exploits, but also specialize in inserting secret backdoor to legitimate products. Its Tailored Access Operations (TAO) unit works with the CIA and FBI to intercept shipments of hardware to insert spyware into the devices. This way NSA is able to keep an eye on all levels of our digital lives, from computing centers to individual computers, and from laptops to mobi
Master Password Protection added to Google Chrome's Password Manager

Master Password Protection added to Google Chrome's Password Manager

Dec 05, 2013
Just like other Web Browsers, The Google Chrome also offers a password manager feature that can save your logins and basic information for automatic form-filling. The Google Chrome browser stores all your passwords in the plain text format and is available for access by opening the following URL in your Chrome browser – " chrome : //settings/passwords ". Unlike Firefox , till now Google Chrome was not offering any Master Protection. Finally Google has implemented a Master Password protection on Chrome password manager in Windows and Mac. Now you have to enter your Windows account password to reveal the saved passwords. The protection will be lifted for a minute, after entering the password, and after that user need to re-login. Previously, Google was criticized many times for such bad password storage Practice because there is no master password, no security, not even a prompt that " these passwords are visible " and this allows anyone with access to a user's c
DDoS attack from Browser-based Botnets that lasted for 150 hours

DDoS attack from Browser-based Botnets that lasted for 150 hours

Nov 14, 2013
Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate. By the time you notice that something`s wrong, your perimeter has already been breached, your servers were brought down, and there is little left to do but to hang up and move on. So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser? Some common bot filtering methods, which usually rely on sets of Progressive Challenges , are absolutely useless against bots that can retain cookies and execute JavaScripts. The alternative to indiscriminately flashing CAPTCHA's for anyone with a browser is nothing less than a self-inflicted disaster - especially when the attacks can go on for weeks a
Google Chrome adds automatic malware blocking for suspicious downloads

Google Chrome adds automatic malware blocking for suspicious downloads

Nov 02, 2013
Today Malware is a very real threat, and if you're not careful about what you download and install, you could end up with a serious problem. But now Google will be trying their very best to block malware from installing itself on your computer on your behalf. Google has developed a security feature for Chrome that lets the browser detect and stop malware downloads. The feature has been added to Chrome Canary, the latest version of the browser which is available to download in beta form now. All you'll see is a notification like the one below, which you can then dismiss: " These malicious programs disguise themselves so you won't know they're there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state. " wrote Linus Upson, a Google vice president, in a blog post . Google is implementing
Sandcat Browser 4.0 released, new tools added for Pen-Testers

Sandcat Browser 4.0 released, new tools added for Pen-Testers

May 29, 2013
Sandcat Browser, The fastest web browser with many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers. Sandcat 4 adds a large number of enhancements, new features, extensions and bug fixes, and provides a dramatically improved user experience on several fronts.  Sandcat 4 adds several new pen-tester extensions as part of the new incarnation of its Pen-Tester Tools extension pack. This includes: a Request Loader, a XHR Editor, a XHR Fuzzer, a CGI Scanner, a HTTP Brute Force extension, enhanced request editors, enhanced script runners, and more. New versions comes with a revamped and enhanced Live Headers. You can now view not only the request headers and response headers but the response of HTTP requests and XHR calls. The captured requests can be viewed, exported to and imported from individual files via its Live Headers bar. It adds the ability to save the full request details of captured requ
Remotely controlled Malware as Browser extensions

Remotely controlled Malware as Browser extensions

Oct 26, 2012
" Browser extensions extend the functionality of the web browser. These extensions improve the appearance, functionality, security or other parts of the browser. Extensions were also developed with malicious intent, in order to generate revenue or just spread the code between more and more browsers. The possibility of a malicious browser extension is almost infinite, but we have not seen very powerful malicious extensions yet. " Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension. The researcher plans to release the malware's source code on GitHub during a presentation at the Hacker Halted security conference in Miami next Tuesday This Malwaretize Browser extensions is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more. Balazs is also expected to demonstrate how the proof
Steam Browser Protocol Vulnerability can allow hackers to hijack PC

Steam Browser Protocol Vulnerability can allow hackers to hijack PC

Oct 16, 2012
Italian security Researchers Luigi Auriemma and Donato Ferrante from ' ReVuln ' reported the flaw in Steam Browser Protocol. Stream the popular online distribution platform with 54 million users. The flaw allow the attacker to write arbitrary text to file and direct victims to external payloads and even the computer can take over. The popular gaming platform uses the steam:// URL protocol in order to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers. It is possible to Safari, Maxthon and Firefox and other browsers based on the Mozilla engine, this quietly Steam URLs to invoke. In report they said that browsers including Firefox and software clients including RealPlayer would execute the external URL handler without warnings and were "a perfect vector to perform silent Steam browser protocol calls". The researchers demonstrated how users on the massive Source game engine, which hosts games like
Expert Insights / Articles Videos
Cybersecurity Resources