Search results for Chromium (web browser) | Breaking Cybersecurity News | The Hacker News

Microsoft today finally released the first new reborn version of its Edge browser that the company rebuilds from scratch using Chromium engine, the same open-source web rendering engine that powers Google's Chrome browser. However, the Chromium-based Edge browser builds haven't yet entered the stable or even the beta release; instead, Microsoft has released two testing-purpose preview builds for developers. Both previews build— "Canary"  that will be updated daily, and "Developer"  that will be updated every week—are now available for download from the Microsoft's new Edge insider website . Here's how Microsoft differentiates Canary and Developer builds: "Every night, we produce a build of Microsoft Edge — if it passes automated testing, we'll release it to the Canary channel. We use this same channel internally to validate bug fixes and test brand new features. The Canary channel is truly the bleeding edge, so you may discover bugs...

It is no secret how miserably Microsoft's 3-year-old Edge web browser has failed to compete against Google Chrome despite substantial investment and continuous improvements. According to the latest round of tech rumors, Microsoft has given up on Edge and reportedly building a new Chromium -based web browser, dubbed project codename " Anaheim " internally, that will replace Edge on Windows 10 operating system as its new default browser, a journalist at WindowsCentral learned. Though there is no mention of Project Anaheim on the Microsoft website as of now (except Anaheim Convention Center at California), many speculate that the new built-in browser could appear in the 19H1 development cycle of Microsoft's Insider Preview program. According to the report, the new browser will be powered by Blink rendering engine used by Chromium, one that also powers Google's Chrome browser, instead of Microsoft's own EdgeHTML engine. Chromium is an open-source Web b...

Sandcat Browser 2.0 Released,  Penetration Testing Oriented Browser Sandcat Browser version 2.0 includes several user interface and experience improvements, an improved extension system, RudraScript support and new extensions. What is Sandcat Browser? The fastest web browser combined with the fastest scripting language packed with features for pen-testers. Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team, the same creators of the Sandcat web application security scanner. The Sandcat Browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua language to provide extensions and scripting support. This first Sandcat Browser release includes the following pen-test oriented features: Live HTTP Headers Request Editor extension Fuzzer extension with multiple modes and support for filters JavaScript Executor extension -- allows you to load and r...

Get ready for a new Android Browser! Android ROM developer CyanogenMod has announced that it is working on a new browser for Android devices. Dubbed Gello , the open-source browser is based on Google's Chromium project and includes a ton of customization options for Android. The team provided a first look of Gello through a demo video that actually reveals a lot about the new Android browser. Some Specific Features of Gello include: " Save for Offline " Reading Mode Night Mode and Immersive Mode options Extensive site-by-site Privacy and Security Settings, including Ad Blocker Advanced Download Manager that allow you to rename files and select file paths Customized interface , including Tab Animations and Management Moreover, Lots of other granular controls. The Gello web browser would be aimed at those who prefer Android Open Source Project (AOSP) versions instead of Google's Android. The team noted that the Gello browser will not...

Cybersecurity researchers have disclosed a now-patched security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called  My Flow  that makes it possible to sync messages and files between mobile and desktop devices. "This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company  said  in a statement shared with The Hacker News. The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of  updates  shipped on November 22, 2023. My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interfa...

Penetration Testing Oriented Browser - Sandcat Browser The fastest web browser combined with the fastest scripting language packed with features for pen-testers.  Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team, the same creators of the Sandcat web application security scanner. The Sandcat Browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua language to provide extensions and scripting support. This first Sandcat Browser release includes the following pen-test oriented features: Live HTTP Headers Request Editor extension Fuzzer extension with multiple modes and support for filters JavaScript Executor extension -- allows you to load and run external JavaScript files Lua Executor extension -- allows you to load and run external Lua scripts Syhunt Gelo HTTP Brute Force, CGI Scanner scripts and more. Download SandCat Browser

When you visit a website, it stores some information on your system through a web browser for later use i.e. Login information, so you do not have to re-login to your website every time you visit the same website on the same browser. Cookies are usually stored as plain text or in the database by the browser and if a computer is accessed by multiple people, one person might scan another's cookie folder and look for things like passwords or long-life session IDs. If an attacker has the physical access to your system, can steal all your cookies easily to hijack accounts. There are many tools available on the Internet that can make it quicker and easier for an attacker to export all your cookies from the browser. The Google Chrome web browser also saves cookies to a SQLite database file in the user's data folder. One can import that file to SQL Editor software to read all cookies in plain text format. Google's open source project Chromium browser now have a new feat...

Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome , in a way that you will not notice any difference while browsing. The new adware software, dubbed " eFast Browser ," works by installing and running itself in place of Google Chrome The adware does all kinds of malicious activities that we have seen quite often over the years: Generates pop-up, coupon, pop-under and other similar ads on your screen Placing other advertisements into your web pages Redirects you to malicious websites containing bogus contents Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft. What's Nefariously Intriguing About this Adware? The thing that makes this Adware different from others is that instead of taking contr...

A severe vulnerability disclosed in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash . "It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed," Pino said in a technical breakdown of the shortcoming. At its core, Brash stems from the lack of rate limiting on " document.title " API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process. The attack plays out in three steps - Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes ...

To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser. If you are unaware, many third-party applications, like accessibility or antivirus software, inject code into your web browser for gaining more control over your online activities in order to offer some additional features and function properly. However, Google notes that over 15 percent of Chrome users running third-party applications on their Windows machines that inject code into their web browsers experience crashes—and trust me it's really annoying. But don't you worry. Google now has a solution to this issue. In a blog post published Thursday on Chromium Blog, Google announced its plan to block third-party software from injecting code into Chrome—and these changes will take place in three steps: April 2018 — With the release of Chrome 66, Google will begin informing use...

What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge? Sounds really scary! Isn't it? But this scenario is not only possible but is hell easy to accomplish. A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. How Browsers Works With Camera & Microphone Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols th...

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials ( DBSC ) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said. "By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value," the company  noted . "We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices." The development comes on the back of reports that off-the-shelf information stealing malware are finding ways to steal cookies in a manner that al...

Google, Apple, Microsoft , and Mozilla have joined hands to create code for use in the future web browsers that promises up to 20 times faster performance. Dubbed WebAssembly (or wasm for short), a project to create a new portable bytecode for the Web that will be more efficient for both desktop as well as mobile web browsers to parse than the complete source code of a Web page or an application. Bytecode is actually a machine-readable instruction set that is faster for web browsers to load than high-level languages. WebAssembly — A New File Format to Compile Code At the moment, browsers use JavaScript to interpret the code and allow functionality on websites such as dynamic content and forms. By default, JavaScript files are downloaded from the server and then compiled by the JavaScript engine in the web browser. However, improvements have been made to load times via Asm.js — the stripped-down JavaScript dialect described as an "assembly language for ...

Cybersecurity researchers have demonstrated a novel technique that allows a malicious web browser extension to impersonate any installed add-on. "The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX said in a report published last week. The harvested credentials could then be abused by the threat actors to hijack online accounts and gain unauthorized access to sensitive personal and financial information. The attack affects all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The approach banks on the fact that users commonly pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension m...

Google was under fire of downloading and installing a Chrome extension surreptitiously and subsequently listened to the conversations of Chromium users without consent. After these accusations, a wave of criticism by privacy campaigners and open source developers has led Google to remove the extension from Chromium , the open-source version of the Chrome browser. The extension in question is " Chrome Hotword ," which was found to be responsible for offering the browser's famous " OK, Google " functionality. ' Ok, Google ' is certainly a useful feature that allows users to search for things via their voice when they use Google as their default search engine, but its something that also enables eavesdropping of every single conversation made by a user. Google Silently Listens to your Conversation This issue came to light by Pirate Party founder Rick Falkvinge , who says Google has silently installed black box code into the open-so...

If you use Zoom video conferencing software on your Mac computer—then beware—any website you're visiting in your web browser can turn on your device camera without your permission. Ironically, even if you had ever installed the Zoom client on your device and simply uninstalled it, a remote attacker can still activate your webcam. Zoom is one of the most popular cloud-based meeting platforms that provide video, audio, and screen sharing options to users, allowing them to host webinars, teach online courses, conduct online training, or join virtual meetings online. In a Medium post published today, cybersecurity researcher Jonathan Leitschuh disclosed details of an unpatched critical security vulnerability (CVE-2019-13450) in the Zoom client app for Apple Mac computers, which if combined with a separate flaw, could allow attackers to execute arbitrary code on the targeted systems remotely. Jonathan responsibly reported the security vulnerability to the affected company ov...

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy. Called  CNAME Cloaking , the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users' knowledge and consent but also "increases [the] web security threat surface," said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study. "This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the researchers  said  in the paper. "As such, defenses that block third-party cookies are rendered ineffective." The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021). Rise...

The Keksec threat actor has been linked to a previously undocumented malware strain, which has been observed in the wild masquerading as an extension for Chromium-based web browsers to enslave compromised machines into a botnet. Called  Cloud9  by security firm Zimperium, the malicious browser add-on comes with a wide range of features that enables it to siphon cookies, log keystrokes, inject arbitrary JavaScript code, mine crypto, and even enlist the host to carry out DDoS attacks. The extension "not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device," Zimperium researcher Nipun Gupta  said  in a new report. The JavaScript botnet isn't distributed via Chrome Web Store or Microsoft Edge Add-ons, but rather through fake executables and rogue websites disguised as Adobe Flash Player updates. Once installed, the extension is designed to inject a JavaSc...