Search This Blog

Showing posts with label Chrome. Show all posts

Google Tricked Millions of Chrome Users in the Name of 'Privacy'

 

Google revealed last month that it is rolling out the Federated Learning of Cohorts (FLoC) program, an important part of its ‘Privacy Sandbox Project’ for Chrome. The company advertised FLoC as the latest, privacy-preserving option in Google Chrome to the third-party cookie.

But the real question is can Google truly preserve the privacy of its users? Well, the results of the FLoC trial don’t indicate that. Millions of Chrome users had no control of their involvement in the FLoC trial, they received no personal text, and, currently, they have no option to opt out from the FLoC trial. The only option to leave the trial is by blocking all third-party cookies on their Google Chrome browsers.

What is the FLoC program? 

FLoC is based on machine learning technology designed by Google and is meant to be an alternative to the kind of cookies that advertising technology firms use today to track you across the web. Instead of a personally-identifiable cookie, FLoC runs locally and examines your browsing pattern to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is particular enough to permit advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to spot you personally. 

This "interest-based trial,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays are cohort ID and all your browsing history and other data stay locally. Google has also started testing the FLoC cookie for some Chrome users which allows them to analyze the new system in an origin trial. 

Last month, Google’s FLoC trial announcement, gave Chrome users no alternative to quitting before the trial started. Instead, Google quietly started to expand its FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines.

"When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we need a more private web, and we know third-party cookies aren’t the long-term answer. Overall we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was responsible and even harmful, to the open and free web we all enjoy,” Marshall Vale, Google’s product manager, stated.

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks

Google Chrome has blocked HTTPS, FTP, and HTTP access to TCP (transmission control protocol) port 10080 to protect ports getting exploited from NAT Slipstreaming 2.0 attacks. In 2020, cybersecurity expert Samy Kamkar revealed a new variant of the NAT Slipstreaming vulnerability that lets scripts on illicit websites avoid a user's NAT firewall and hack into any UDP/TCP port on the target's internal network. By exploiting these vulnerabilities, hackers can deploy a variety of attacks, these include modification of router configurations and hacking into private network services. 

"NAT Slipstreaming was discovered by security researcher Samy Kamkar and it requires the victims to visit the threat actor's malicious website (or a site with maliciously crafted ads). To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests," reported Bleeping Computers in 2019. The flaw only works on selected ports configured by a router's ALG (Application Level Gateway), ports that don't receive much traffic are being blocked by browser developers. 

As of now, Chrome has blocked HTTPS, HTTP, and FTP access on ports 1719, 1720, 1723, 5060, 5061, 69, 137, 161, and 554. Recently, Google said that it is considering blocking TCP port 10080 in Chrome. Firefox had blocked TCP port 10080 already in November last year. But the most worrisome aspect relating to 10080 is may developers may start using it as a replacement to port 80. They may find it useful as the port ends in '80' which makes it attractive. Besides this, the port doesn't require root privileges for binding into Unix systems, said Adam Rice, developer at Google Chrome. 

For developers that want to continue using this post, Mr. Rice will add an enterprise policy that will allow the developers to use the port by overriding the block. If a port is blocked, the user is displayed a "ERR_UNSAFE_PORT" error message while trying to gain access to the port. "If you are currently hosting a website on port 10080, you may want to consider using a different port to allow Google Chrome to continue accessing the site," said Bleeping computer.

Privacy Essentials Vulnerabilities in the DuckDuckGo Browser Extension

 

DuckDuckGo, the widely used web extension for Chrome and Firefox, that is meant to protect the privacy of its users has resolved a universal cross-site scripting (uXSS) flaw. DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features, was identified with the vulnerability. The research scientist Wladimir Palant has disclosed that it can allow arbitrary code to be executed on any domain on victims' devices. While the issue has been patched in Chrome, no updates for browsers like Microsoft Edge were published in Mozilla Firefox initially while it was disclosed. 

First of all, for certain internal communication, the extension used unsecure communication chains which ironically caused a certain amount of data leakage through the domain borders. DuckDuckGo's second security vulnerability allowed the DuckDuckGo server to execute arbitrary JavaScripting code on a given domain, and a Cross-Site Scripting (XSS) vulnerability in this extension. 

The security vulnerability could allow malicious actors to spy on all websites visited by the user, making confidential material such as banking and other data available. He says that even when browsing the website it leaves their privacy "completely compromised" and can even utilize web sites with defensive measures, like the security of information. Palant said that someone else controlling ‘http://staticcdn.duckduckgo.com’ can only use this vulnerability, which means that an attacker needs accessing the server. 

 “The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.co,” Palant wrote. “So the good news [is]: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).” 

DuckDuckGo Privacy Essentials 2021.3. solves both problems. While initially it solved the issue for Chrome only. For certain reason Mozilla Firefox and Microsoft Edge, two releases were missed (insecure internal communication). Although Firefox and Edge can now have an extension version with the fix. 

These vulnerabilities are very characteristic, because in other extensions he has seen similar errors several times. This extension is not only one where the developers are clueless. The Google Chrome extension platform merely does not offer safe and convenient solutions. So most developers of extensions are bound to do the first attempt wrong. 

“As a more advanced consequence [if the attacker was a government agency], your communication in the browser is no longer private, even when using a secure mail provider like ProtonMail or communicating with journalists via SecureDrop.” 

As informed by a Mozilla spokesperson: "The extension is available in a fixed version now. Firefox users receive it, depending on their extension update settings, either through a manual or automatic update extension check."

Malicious Operations Hide Under The Google Chrome Sync Feature

 

Lately, the threat actors have detected a technique where they can use the sync feature of Google Chrome to transmit commands and steal data from infected systems, circumvent conventional firewalls and other network protections to infected browsers. Chrome sync is a Chrome browser feature that stores copies of a Chrome user's bookmarks, browsing history, browser passwords, and extension settings on Google's cloud servers. This function is used to synchronize the aforementioned data with various devices of a user so that the user still has access to his new Chrome information everywhere. 

On Thursday 4th of January, Bojan Zdrnja, a Croatian security researcher, shared his discovery, wherein a malicious Chrome extension exploited the Chrome sync as a way to connect with a remote command and control (C&C) server and to exfiltrate the details from compromised browsers during the latest incident reaction. 

In addition, Zdrnja added that the attackers had gotten access to a victim's device during the incident he investigated, however, because the data they tried to steal was inside the worker's portal, therefore they downloaded Chrome extension on the user’s system and loaded it in Developer's Mode. It included malicious code that abused Chrome's synchronized functionality to allow attackers to monitor the infected browser, which was used as a security add-on by security company Forcepoint. 

Zdrnja claimed that the purpose of this unique attack was to use the extension to "manipulate data in an internal web application that the victim had access to." 

"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja stated in a report. 

"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he added, wherein data stored in the key field could be anything. For instance, data obtained from the infected browser may be malicious extensions or commands the attacker desires to run the extension at an infected workstation (for example, usernames, passwords, cryptographic keys, or more).

Although the stolen content or corresponding commands are transmitted via Chrome's infrastructure, no process can be inspected or blocked in the majority of corporate networks, which are normally authorized to run and transfer data unimpeded by the Chrome browser. 

The researcher recommended businesses to use Chrome company and community decision assistance to block and monitor the plugins that could be installed on a browser, prohibiting rogue extensions, such as the one he investigated, from being installed.

Users can now Use 2 Step Verification on their Chrome and Safari Browser


Google has launched a new feature for ensuring users' security. You will now be able to enroll for 2 Factor Authentication Keys from Web browsers. Google is allowing you to enroll security keys on Android and macOS devices by making it easier to register for keys. "Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double-check that your identity is legitimate."


When you sign in into your account it asks for a username and password, this is the first verification process. Two-factor authentication adds another security layer after this to confirm your identity. It (2FA) could be a pin, a password, a one time password, a physical device, or biometric. It should be something only you have to know. Two-factor authentication is very important as a password isn't as protective as we believe. Cyber attackers can test billions of password combinations in a second.

Two-factor authentication or two-step verification adds another layer of protection besides a password, and it is hard for cybercriminals to get this second factor and reduces their chance to succeed. Now Google is offering these 2FA authentication keys, and you can register for these on macOS devices using Safari (v. 13.0.4 and up), and Android devices running Android 7.0 “N” and up, using the Google Chrome web browser (version 70 and up). Users can register these independently or with those who have signed up for the Advanced Protection Program. It's available for all users given you're using the mentioned version of the software.

What is Security Keys? 

Security Keys are the most secure form of two-factor authentication (2FA) or two-step verification to protect against various threats like hacking and phishing. Users are provided with physical keys that they can insert into the USB port of their device, when required the user will touch the key. On Android devices, the user will have to tap the key on their NFC ( Near Field Communication) enabled device. Android users can also opt for USB and Bluetooth keys. Apple mobile users will be provided Bluetooth-enabled security keys.

Google Cuts Down Chrome's Patch-Gap in Half, from 33 to 15 Days now


Last week, Google has announced the cutting down of 'patch gap' in half for Chrome and the future plans of cutting it down further are also making the headlines.

Security Engineers at Google told that the 'patch gap' for Google Chrome which earlier was 33 days has now been successfully reduced to only 15 days. Some of you might be wondering what exactly a 'patch gap' means, it refers to the time frame it takes from when a security bug gets fixed in an open-source library to when that fix reaches in software which used that library.

These days, when the software ecosystem contains most of the apps relying upon the open-source modules, patch-gap plays a major role as it creates a potential security risk.

How Patch-Gap involve Major Security Risk?

As soon as a security bug gets fixed by someone in a particular open-source library, all the details related to that bug become available in the public domain. It is simply because of the open nature of the open-source libraries and projects. Now, the software which is largely dependent on these easily accessible components available in open source libraries, become vulnerable to the attacks and exploits that hackers can craft by exploiting the details regarding the security flaws.

How Patch-Gap will be Useful?

Considering the likeliness of the aforementioned possibility, if the software developers are releasing patches on a fixed release schedule which includes updates incoming every week or in a couple of months, the patch-gap here will allow hackers to set-off attacks that most software will have difficulty in dealing with.

A member of the Chrome Security team, Andrew R. Whalley said, "We now make regular refresh releases every two weeks, containing the latest severe security fixes,"

"This has brought down the median 'patch gap' from 33 days in Chrome 76 to 15 days in Chrome 78, and we continue to work on improving it," he further told.

Apple Engineers to Standardize the Format of the SMS Messages Containing OTPs


A proposal comes from Apple engineers working at WebKit, the core component of the Safari web browser, to institutionalize the format of the SMS messages containing one-time passwords (OTP) that users receive during the two-factor authentication (2FA) login process.

 With 2 basic goals, the proposal aims initially is to introduce a way that OTP SMS messages can be associated with a URL, which is essentially done by adding the login URL inside the SMS itself.

And the second being to institutionalize the format of 2FA/OTP SMS messages, so browsers and other mobile applications can undoubtedly distinguish the approaching SMS, perceive web domain inside the message, and afterward consequently extract the OTP code and complete the login operation moving forward without any further user interaction.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code. 
@website.com #747723 

The first line, intended for human users, permits them to decide from what site the SMS OTP code originated from and the second line is for both human users as well as for applications and browsers.

 Applications and browsers will consequently extricate the OTP code and complete the 2FA login operation. In the event that there's a 'mismatch' and the auto-complete operation falls flat, human readers will have the option to see the site's original URL, and contrast it with the site they're attempting to login.

On the off chance that the two are not similar, at that point, users will be alerted that they're very a phishing site and forsake their login activity.

When browsers will deliver components for reading SMS OTP codes in the new format, significant providers of SMS OTP codes are required to switch to utilizing it. Starting now, Twilio has already communicated its enthusiasm for actualizing the new arrangement for its SMS OTP administrations. 

Presently, while Apple (WebKit) and Google (Chromium) engineers are quite energetic about the proposition, Mozilla (Firefox) has not yet given an official criticism on the standard yet.

Vulnerability in Chrome Allows To Virtually Take Over Any Android-Based Device



A critical vulnerability in Chrome for Android apparently exploited and displayed in a quite popular hacking contest is now being known to empower anybody with specialized technical expertise to remotely take control for all intents and purposes any Android-based device. 
Found by PacSec speaker Guang Gong from Qihoo 360 at Pwn2Own the vulnerability in Google's JavaScript v8 is said to purportedly influence all renditions of Android running the latest version of Chrome. 
What makes this specific vulnerability stand out amongst the remaining of the already established hazardous and risky ones is that being a 'one shot exploit', just one is sufficient to remotely hack the device. 
At first, the user is tricked into visiting a vindictive website on Chrome and once there, an attacker effectively installs an arbitrary application into the device thusly gaining full privileges. 
"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone," it was reported.
Despite the fact that android fixed 33 vulnerabilities, in which, 9 vulnerabilities were categorized under critical severity and rest of the 24 were fixed under "high" severity.
Until now no more insights regarding the exploits have been unveiled. Google, on the other hand has purportedly been made mindful of the Chrome vulnerability, regardless of whether it has been fixed is yet to be affirmed.

Hackers Now Tricking Users with Fake Address Bars on Chrome



Hackers now take the aid of another and a rather refined phishing attack on Android Chrome only so to shroud the original address bar's screen space by showing its very own fake URL bar when the user scrolls down the site's page.

The fake address bar that relates with the phishing website page posed with real webpage URL by intercepting the original chrome bar. Typically, when users scroll down the site's page, the browser shrouds the URL bar and the page covers overlaps on it in light of the fact that the page is accessible to by means of a "trustworthy browser UI".

Here, the phishing site manhandles this procedure by displaying its very own fake URL bar that acted like an authentic one and trapped users to give away their own personal information.
Security researcher James Fisher exhibited this phishing attack by facilitating his own domain (jameshfisher.com), as he exploited the blemish in chrome browser for mobile.

Fisher used the HSBC domain (www.hsbc.com) as a fake URL bar to proceed with the said demonstration  and by utilizing a similar way the attackers resort to when they utilize any legitimate site, intercept the URL bar and steal the information.

Specialist call it as "scroll jail", when this attack gets even worse for wear, for the most part when the users look up the site page however again reach the first URL bar, here the attackers trap the users to never return on the original URL bar.

According to Fisher, the attack resembles in a dream in inception, the user believes that they're in their own browser, yet they're actually in a browser inside their browser.

 “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape”, says Fisher, who is also of the believe that it might be a security flaw in Chrome browser causing the commotion.

Chrome Utilized for iOS Vulnerability by a Threat Group to Bypass the Browser's Built-In Pop-Up Blocker



eGobbler, a threat group recently targeted iOS users from the U.S. alongside various European Union Countries through numerous massive malvertising attacks for almost a week and utilized Chrome for iOS vulnerability to sidestep the browser's built-in in pop blocker.

The said threat group utilized "8 individual campaigns and more than 30 fake creatives" all through their push, with every one of the fake ad crusades having life spans of somewhere in the range of 24 and 48 hours.

As per the Confiant researchers who found and observed eGobbler's iOS-targeted attacks, approximately 500 million users' sessions were somehow exposed to this extensive scale coordinated campaign pushing counterfeit promotions i.e. fake ads.


As found by Confiant's specialists eGobbler's campaigns more often than not remain active for a maximum limit of 48 hours, quickly pursued by brief times of hibernation which unexpectedly end when the next attack begins.

Some of them are even seen to have used landing pages facilitated on .world domains utilizing pop-ups to hi-jack users' sessions and divert the unfortunate casualties to vindictive pages, as this technique helps the attackers in phishing as well as in malware dropping purposes.

Anyway this campaign was not the first of its kind designed by the eGobbler malvertising group to explicitly target iOS users, as in November 2018, Confiant observed one more campaign kept running by the ScamClub group which figured out how to capture approximately 300 million iOS user sessions and diverted them all adult content and gift voucher tricks.

Be that as it may, as Confiant said in their report, "This really was a standout campaign compared to the others that we track based not only on the unique payload, but the volumes as well?"
They later included that “With almost half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months."