The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: web browser security

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

October 15, 2018Swati Khandelwal
All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols. Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers. There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 ( latest )—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as  POODLE  and  BEAST . Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version. All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020
Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs

Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs

September 12, 2018Swati Khandelwal
A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS. While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates , Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks. The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake. Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading. Here's How the URL Spoofing Vulnerability Works Successfu
Update Google Chrome Immediately to Patch a High Severity Vulnerability

Update Google Chrome Immediately to Patch a High Severity Vulnerability

June 06, 2018Mohit Kumar
You must update your Google Chrome now. Security researcher Michał Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux. Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header ( CVE-2018-6148 ) in a blog post published today. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes. Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load. Mishandling of CSP headers by your web brow
Apple Blocks Sites From Abusing HSTS Security Standard to Track Users

Apple Blocks Sites From Abusing HSTS Security Standard to Track Users

March 20, 2018Swati Khandelwal
If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a 'supercookie' to surreptitiously track users of almost every modern web browser online without their knowledge even when they use "private browsing." Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after discovering that theoretical attacks demonstrated in 2015 were recently deployed in the wild against Safari users. HSTS—HTTP Strict Transport Security—is a great feature that allows websites to automatically redirects user's web traffic to secure page connections over HTTPS if the user accidentally opens an insecure URL and then remembers to route that user to the secure connection always. Since HSTS does not allow websites to store any information/value on users web browser except remembering the redirect information about turning it on/off for future use, using
Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw

Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw

January 31, 2018Mohit Kumar
Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser. The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and performance optimizations and patches for more than 30 vulnerabilities. According to a security advisory published by Cisco, Firefox 58.0.1 addresses an 'arbitrary code execution’ flaw that originates due to 'insufficient sanitization' of HTML fragments in chrome-privileged documents (browser UI). Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim's computer just by tricking them into accessing a link or ' opening a file that submits malicious input to the affected software .' "A successful exploit could allow the attacker t
Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing

Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing

November 01, 2017Wang Wei
Ever since the launch of Windows 10, Microsoft has been heavily pushing its Edge browser, claiming it to be the best web browser over its competitors like Mozilla Firefox, Opera and Google Chrome in terms of speed and battery performance. However, Microsoft must admit that most users make use of Edge or Internet Explorer only to download Chrome, which is by far the world's most popular internet browser. Something hilarious happened recently during a live demonstration when a Microsoft engineer caught on a video switching from Edge to Chrome after the default Windows 10 browser stopped responding in the middle of the presentation. That is really embarrassing. The incident happened in the middle of a Microsoft Ignite conference, where the Microsoft presenter Michael Leworthy was demonstrating how to one can migrate their applications and data to Microsoft Azure cloud service. See what happens in the video below: However, Leworthy was forced to pause his Azure presenta
Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam

Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam

February 22, 2017Mohit Kumar
Next time when you accidentally or curiously land up on a website with jumbled content prompting you to download a missing font to read the blog by updating the Chrome font pack… …Just Don't Download and Install It. It's a Trap! Scammers and hackers are targeting Google Chrome users with this new hacking scam that's incredibly easy to fall for, prompting users to download a fake Google Chrome font pack update just to trick them into installing malware on their systems. Here's What the Scam is and How it works: It's a "The 'HoeflerText' font wasn't found" scam. Security firm NeoSmart Technologies recently identified the malicious campaign while browsing an unnamed WordPress website that had allegedly already been compromised, possibly due to failing to apply timely security updates. The scam is not a new one to identified by NeoSmart. It has been making rounds since last month . The hackers are inserting JavaScript into poorl
A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures

A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures

February 16, 2017Swati Khandelwal
Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update. The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection. ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs. In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs. In short, for attackers, it's like an attempt to burglarize a house blindfolded. But now a group of researchers, known as VUSe
Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

February 03, 2016Unknown
Beware Comodo Users! Have you Safeguarded your PC with a Comodo Antivirus? Then you need to inspect your system for privacy and security concerns. First of all, make sure whether your default browser had been changed to " Chromodo " -- a free browser offered by Comodo Antivirus. If your head nod is " Yes ," then you could be at risk! Chromodo browser, which is supplied along with the installation of Comodo Anti-Virus Software and marketed as 'Private Internet Browser' for better security and privacy, automatically overrides system settings to set itself as your 'Default Browser.' And secondly, the main security concern about Comodo Antivirus is that the Chromodo browser has 'Same Origin Policy' (SOP) disabled by default. Google's security researcher Tavis Ormandy , recently shouted at Comodo for disabling SOP by default in its browser settings that violates one of the strongest browser security policy. Orm
Hackers WIN $1 Million Bounty for Remotely Hacking latest iOS 9 iPhone

Hackers WIN $1 Million Bounty for Remotely Hacking latest iOS 9 iPhone

November 02, 2015Swati Khandelwal
Well, here's some terrible news for all Apple iOS users… Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9. Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium , a startup by French-based company Vupen that Buys and Sells zero-day exploits. And Guess what, in How much? $1,000,000. Yes, $1 Million. Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through: A web page on Safari or Chrome browser, In-app browsing action, or Text message or MMS. Zerodium's Founder Chaouki Bekrar confirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit. NO More Fun. It's Serious Threat to iOS Use
Aw, Snap! This 16-Character String Can Crash Your Google Chrome

Aw, Snap! This 16-Character String Can Crash Your Google Chrome

September 21, 2015Swati Khandelwal
Remember when it took only 13 characters to crash Chrome browser instantly? This time, it takes 16-character simple URL string of text to crash Google Chrome instantly. Yes, you can crash the latest version of Chrome browser with just a simple tiny URL. To do this, all you need to do is follow one of these tricks: Type a 16-character link and hit enter Click on a 16-character link Just put your cursor on a 16-character link Yes, that's right. You don't even have to open or click the malformed link to cause the crash, putting the cursor on the link is enough to crash your Chrome. All the tricks mentioned above will either kill that particular Chrome tab or kill the whole Chrome browser. The issue was discovered by security researcher Andris Atteka , who explained in his blog post that just by adding a NULL char in the URL string could crash Chrome instantly. Atteka was able to crash the browser with a 26 character long string, which is given b
WebAssembly — New Standard for Powerful and Faster Web Apps

WebAssembly — New Standard for Powerful and Faster Web Apps

June 23, 2015Swati Khandelwal
Google, Apple, Microsoft , and Mozilla have joined hands to create code for use in the future web browsers that promises up to 20 times faster performance. Dubbed WebAssembly (or wasm for short), a project to create a new portable bytecode for the Web that will be more efficient for both desktop as well as mobile web browsers to parse than the complete source code of a Web page or an application. Bytecode is actually a machine-readable instruction set that is faster for web browsers to load than high-level languages. WebAssembly — A New File Format to Compile Code At the moment, browsers use JavaScript to interpret the code and allow functionality on websites such as dynamic content and forms. By default, JavaScript files are downloaded from the server and then compiled by the JavaScript engine in the web browser. However, improvements have been made to load times via Asm.js — the stripped-down JavaScript dialect described as an "assembly language for
Apple Safari Browser Vulnerable to URL Spoofing Vulnerability

Apple Safari Browser Vulnerable to URL Spoofing Vulnerability

May 19, 2015Swati Khandelwal
A serious security vulnerability has been uncovered in Apple’s Safari web browser that could trick Safari users into visiting a malicious website with the genuine web address. A group of researchers, known as Deusen , has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address. This flaw could let an attacker lead Safari users to a malicious site instead of a trusted website they willing to connect to install malicious software and steal their login credentials. The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft’s Internet Explorer in February this year that put IE users’ credentials and other sensitive information at risk. The group recently published a proof-of-concept exploit code that makes
Microsoft Edge: The Windows 10 Web Browser

Microsoft Edge: The Windows 10 Web Browser

April 30, 2015Mohit Kumar
Meet Microsoft’s replacement to its old web browser Internet Explorer. The Project Spartan Web browser for Windows 10 has now an official name — Microsoft Edge . Yes, Microsoft’s new web browser shipping on all Windows 10 devices, from computers to smartphones and tablets, is dubbed Microsoft Edge . The company just announced in its Build developer conference that Edge is going to be its primary/default web browser built into Windows 10 . Microsoft Edge is the successor to Internet Explorer and designed to be basic and minimalist for the future. Highlights of Microsoft Edge: There aren't many details about the unique features of Microsoft Edge yet, but here’s what we know about Microsoft Edge so far: It has built-in Cortana support, Microsoft's virtual assistant. It has a built-in reading list, web note-taking and sharing features. The rendering engine is called EdgeHTML. The design focuses on minimalism and simplicity. It has a super useful and we
Earn up to $15,000 for Hacking Microsoft Spartan Browser

Earn up to $15,000 for Hacking Microsoft Spartan Browser

April 23, 2015Mohit Kumar
If you’re a bug hunter and love playing with codes than you could grab as much as US$15,000 from Microsoft for finding out vulnerabilities in its latest Project Spartan browser . Yes, $15,000! It seems like Redmond don’t want to take a chance to let hackers and cyber criminals get their hands on the company’s latest Windows 10 operating system. On Wednesday, Microsoft announced that the company will be expanding its bug bounty program ahead of the release of Windows 10, which will include a two-month hunt for vulnerabilities in its new web browser, Project Spartan. So, it's time for security researchers and hackers to earn extra cash from Microsoft. For those who are unaware… What’s Project Spartan? Project Spartan is Microsoft’s project for its new web browser to replace the oldest Internet Explorer from its Windows operating system. Though the project is still very much under the developmental stage, Microsoft is making every effort to make Spartan
AwSnap! New Hack Can Crash Chrome Browsers of Mass Audience

AwSnap! New Hack Can Crash Chrome Browsers of Mass Audience

April 07, 2015Wang Wei
Few weeks back, we reported how a string of just 13 characters could cause your tab in Chrome to crash instantly . However, there was an exception that this special 13 characters string was only working on Mac OS X computers with no impact on Windows, Android, or iOS operating systems. Now, a recent hack against Chrome browser could crash your Chrome version 41 and above for Mac OS X, Windows and Chrome OS. At the time of writing, Chrome 41 seems to crash on long and/or malformed URLs. The details of this crash bug, dubbed as AwSnap , is described on Github . Warning: DO NOT CLICK on this LINK , which actually points to a Reddit thread that crashes Chrome browser because a Reddit user-submitted post containing the crash content. Just like a post, crashing a thread via a comment is also possible. Chrome crash occurs only when accessing the long and/or malformed URLs through a web server, which means using file:// will not crash your Chrome browser. Examples of
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

March 22, 2015Mohit Kumar
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean secur
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.