Search This Blog

Showing posts with label Google Chrome. Show all posts

Spook.js: Chrome is Threatened by a New Spectre Like Attack

 

A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser's security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google's efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances. 

An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers). 

Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other's memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps. 

Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process's address space into separate 32-bit sandboxes (despite being a 64-bit application). 

Site Isolation is a Chrome security feature that provides extra protection against some sorts of security vulnerabilities. It makes it more difficult for websites that aren't trustworthy to get access to or steal information from your accounts on other websites.

Despite these safeguards, Spook.js, according to researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, "shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks." 

“More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains,” they said. "Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type."

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the study recommended. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."

Chrome 92 Update by Google Patches 10 High Severity Vulnerabilities

 

Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory. 

The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google. 

The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google. 

Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of. 

Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases. 

Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips. 

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.” 

CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.

It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws. 

Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.

XCSSET, a MacOS malware, Targets Google Chrome and Telegram Software

 

As part of further "refinements in its tactics," a malware notorious for targeting the macOS operating system has been updated to add more elements to its toolset that allow it to accumulate and exfiltrate sensitive data saved in a range of programmes, including apps like Google Chrome and Telegram. This macOS malware can collect login credentials from a variety of apps, allowing its operators to steal accounts. 

XCSSET was discovered in August 2020, when it was found to be targeting Mac developers using an unusual method of propagation that entailed injecting a malicious payload into Xcode IDE projects, which is executed when the project files are built in Xcode. XCSSET collects files containing sensitive information from infected computers and delivers them to the command and control (C2) server. 

Telegram, an instant messaging service, is one of the apps that has been attacked. The virus produces the “telegram.applescript” archive in the Group Containers directory for the “keepcoder.Telegram” folder. By obtaining the Telegram folder, the hackers are able to log into the messaging app as the account's legal owner. The attackers gain access to the victim's account by moving the stolen folder to another machine with Telegram installed, according to Trend Micro researchers. Normal users have read and write permissions to the Application sandbox directory, XCSSET can steal sensitive data this way. 

The malware can read and dump Safari cookies, inject malicious JavaScript code into multiple websites, steal information from programmes like Notes, WeChat, Skype, and Telegram, and encrypt user files, among other things. Earlier this month, XCSSET received an update that allowed malware developers to target macOS 11 Big Sur as well as Macs with the M1 chipset by getting beyond Apple's new security standards in the current operating system. 

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted. 

According to a new report released by the cybersecurity firm on Thursday, XCSSET uses a malicious AppleScript file to compress the Telegram data folder ("/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file before uploading it to a remote server under their control, allowing the threat actor to log in using the victim's account. 

"The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems," the researchers said.

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Critical Bugs in Firefox and Chrome Allow Exploitation

 

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) asked clients of Mozilla Foundation's Firefox browser and Windows, macOS, and Linux clients of Google's Chrome browser to fix bugs, traced as CVE-2020-16044 and CVE-2020-15995 respectively. 

The vulnerability of CVE-2020-16044 is classified as a use-after-free bug and attached to the manner in which Firefox handles browser cookies and whenever exploited permits hackers to access the computer, telephone, or tablet running the browser software. Affected are Firefox browser renditions released before the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition, and furthermore Mozilla's corporate ESR 78.6.1 version of Firefox. "A pernicious peer might have altered a COOKIE-ECHO chunk in a SCTP packet in a way that conceivably resulted in a use-after-free. We assume that with enough effort it might have been exploited to run arbitrary code," as indicated by a Mozilla security notice.

SCTP stands for Stream Control Transmission Protocol, utilized in computer networking to communicate protocol data inside the Transport Layer of the internet protocol suite, or TCP/IP. A COOKIE ECHO chunk is a snippet of information sent during the initialization of the SCTP association with the browser.

Google's Chrome browser bug CVE-2020-15995 was affecting the current 87.0.4280.141 rendition of the software. The CISA-bug cautioning expressed that the update to the most recent version of the Chrome browser would "addresses vulnerabilities that an attacker could exploit to take control of a tainted system." Microsoft's most recent Edge browser depends on Google Chromium browser engine, Microsoft additionally encouraged its clients to update to the most recent 87.0.664.75 rendition of its Edge browser.

While researchers at Tenable group called the out-of-bounds bug as critical, both Google and Microsoft characterized the vulnerability as being of high seriousness. Tencent Security Xuanwu Lab scientist Bohan Liu is credited for finding and detailing the bug. The CVE-2020-15995 is distinguished as an "out of bounds written in V8", a bug initially found in September 2020 by Liu. V8 is Google's open-source and high-performance JavaScript and WebAssembly engine, as indicated by a Google developer description. Neither Microsoft nor Google clarified why the September 2020 CVE-2020-15995 is being highlighted again in both their security bulletins. Typically, that means that the first fix was incomplete.

Mozilla Firefox Disabling Backspace Key to Prevent Data Loss

Mozilla Firefox is about to disable the browser's backspace key to help users avoid data loss. 

In 2014, Google Chrome and Microsoft Edge have already removed the ability to go back to a previous page by using the backspace key as there were possibilities of losing data entered into forms on the current page. Those who are using Google Chrome have to download an extension to use this again, whereas Microsoft Edge had offered a flag for its users to re-active it. In the same way, Mozilla Firefox is also offering its users the option to re-activate the backspace key if they wish to do so. 

"Would be useful to determine how commonly backspace is used as a "back" action shortcut, so we can figure out if we need to tweak the UX somehow to avoid accidental loss of form data due to mistyping the backspace key," Google Chrome developers stated in a 2014 bug post. 

According to the sources, seven years ago, Mozilla Firefox had set up the committee and reviewed the bug post: whether the backspace key should be disabled or not. Finally, the committee had decided not to change anything at that time. Around six years later, Mozilla finally came to the point where it has decided to remove the backspace key after realizing that except for Mozilla and Internet Explorer 11, no browsers support this keyboard shortcut. 

"To prevent user data loss when filling out forms, the Backspace key as a navigation shortcut for "Go back one page" is now disabled. To re-enable the Backspace keyboard shortcut, you can change the about: config preference browser.backspace_action to 0. You can also use the recommended Alt + Left arrow (Command + Left arrow on Mac) shortcut instead," Firefox Release Manager Pascal Chevrel added to the Firefox Nightly 86.0a1 release notes. 

According to TechDows, the first who reported about this change which is now available live on the Firefox browser for users to test and know. 
Further information is for those users who want to continue using the backspace key, you will be able to re-enable this key just follow these steps: 

1. Enter about: config in the Firefox address bar. 
2. Search for browser.backspace_action and change its value to '0'. 

Once the setting is configured, you will be able to use the backspace key to go back to the previous page in Mozilla Firefox.

Google Chrome Receives Second Patch for Serious Zero-Day Bug in Two Weeks

Google has recently introduced a fix for another zero-day bug in its Chrome browser and has also released a new security update for desktops. The bug (CVE-2020-16009) that affected the V8 component of the Chrome browser was discovered by Clement Lecigne and Samuel Groß of Google's Threat Analysis Group (TAG) and Google Project Zero respectively. 


 
While addressing the abovementioned flaw for the machines running on Mac, Windows, and Linux, Google released the Google Chrome security patch version 86.0.4240.183. The tech giant further told that the bug when exploited allowed the threat actors to bypass and escape the Chrome security sandbox on Android smartphones and run code on the underlying operating system. 

Google denied disclosing any details of the bug that had been exploited actively in the wild, as a lot of users have not updated yet; it's a part of Google's privacy policy. It prevents attackers from developing exploits alongside and gives users more time to get the updates installed. While Google's TAG hasn't confirmed if the threat actors behind the two bugs were the same, it assured that the acts were not motivated by the ongoing US presidential elections. 
 
Furthermore, a critical memory corruption flaw under active exploitation in the Google Chrome browser (CVE-2020-15999) was identified by the researchers at Google's TAG, who also told that this zero-day vulnerability was under attack in combination with CVE-2020-17087, windows zero-day. The zero-day vulnerability identified as CVE-2020-15999 affected the FreeType font rendering library, thereby demanding attention from all services making use of this library. 
 
Additionally, the latest security update will also allow users to experience a more stable and improved Chrome browser in terms of performance. 
 
In a blog post published on 2nd November, Google said, "The stable channel has been updated to 86.0.4240.183 for Windows, Mac, and Linux which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues." 

"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," the blog further stated.

Mobile Versions of Several Browsers Found Vulnerable to Address Bar Spoofing Flaws

 

Several mobile browsers including Firefox, Chrome, and Safari were found vulnerable to an ‘address bar spoofing’ flaw which when exploited could allow a threat actor to disguise a URL and make his phishing page appear like a legitimate website, according to a report published by cybersecurity company Rapid7 which reportedly worked in collaboration with Rafay Baloch - an independent security researcher who disclosed ten new URL spoofing vulnerabilities in seven browsers. 
 
The browsers were informed about the issues in August as the vulnerabilities surfaced earlier this year; some of the vendors took preventive measures - patching the issues beforehand while others left their browsers vulnerable to the threat. 
 
Notably, the Firefox browser for Android has already been fixed by Mozilla, and for those who haven’t updated it yet make sure you do it now. While Google’s Chrome Browser on both Android and iOS is still vulnerable to the threat and is unlikely to be patched until September. Other affected browsers include Opera Touch, UC Browser, Yandex Browser, RITS Browser, and Bolt Browser. 

In order to execute an address bar spoofing attack, the attacker alters the URL which is displayed onto the address bar of the compromised web browser which is configured to trick victims into believing that the website they are browsing is monitored by an authenticated source. However, in reality, the website would be controlled by the attackers carrying out the spoofing attack. The attacker can trick his victims into providing their login details or other personal information by making them think as they are connected to a website like Paypal.com. 
 
“Exploitation all comes down to, "Javascript shenanigans." By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website”, the report explained. 
 
“With ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear-phishing attacks and hence prove to be very lethal,” Baloch further told.

Google Confirms Two New High-Severity Vulnerabilities in Chrome 81


The new Chrome 81 version released on April 7th by Google for Windows, Mac, and Linux primarily focused on security owing to the vulnerability users are subjected to due to the coronavirus pandemic. The launch of the update was delayed for similar reasons. It brought along new features, bug fixes, and over 30 security flaw patches from Google's security researchers and some experts from outside.

The new Chrome 81 version is being promoted to the Stable channel, meanwhile, Chrome 83 and Chrome 84 will be promoted to the Beta version and the Canary version respectively. As per sources, Chrome 82 will be disregarded because of the COVID-19 charged atmosphere, and all progress from the version will be channelized into the subsequent version, Chrome 83.

While warning users of more security flaws in Chrome 81, Google confirms two new high-severity vulnerabilities infecting the web browser. As these new security exploits could allow hackers to run commands over an affected system by gaining unauthorized control, users worldwide are being advised by the U.S Cybersecurity and Infrastructure Security Agency (CISA) to apply the latest update launched by the company in defense against these security vulnerabilities.

Both of the aforementioned security vulnerabilities were reported by Zhe Jin from Qihoo 360, a Chinese internet security services provider; for one of these, Jin received a bounty of $10,000 for CVE-2020-6462 which is a use-after-free error in the Chrome task scheduling component. The second one, CVE-2020-6461 was also of a similar use-after-free form but this one affected storage, according to the update notice from Prudhvikumar Bommana, Google Chome Technical Program Manager. 

Google has confirmed that the update will be pushed for all the users in the upcoming days and weeks, however, users are advised to remain proactive and keep looking up for updates to be applied manually by going to Help | About Google Chrome, where you can find the version you are currently running and an option to check for further updates. After installing the latest version, simply restart the web browser, and there you go being safeguarded against both the flaws.

Google Stops Displaying Security Warnings in Microsoft Edge, No Longer Recommends Switching to Chrome


Google has stopped advising Microsoft Edge users to switch to Chrome for a more secure experience as the browser extensions crafted for Google's Chrome web browser are also suitable for the new Microsoft's new Edge browser based on Chromium.

It appeared like Google stoked the flames of browser wars when it subtly encouraged Edge users to shift to Chrome by displaying warnings of potential security threats. The alert displayed by Google read that it "recommends switching to Chrome to use extensions securely". A developer at Edge revealed that the new Microsoft Edge is designed to effectively safeguard its users from malicious extensions, that said, Edge already had Windows Defender Smart Screen and Unwanted Application protection built-in.

Whenever a user visited the Chrome Web Store via the new Microsoft Edge, Google displayed a message in yellow at the top of the webpage recommending users to switch to Chrome in order to use extensions with added safety. However, seemingly, as soon as Google realized that greeting users with a warning message which clearly implied that Microsoft Edge is less secure of a browser is not making them look good, the tech giant softened and decided to take the alert down. Not only that, Google went a step ahead and replaced the previously displayed warning with a fresh one that tells users that now they can add extensions to Microsoft Edge from the Chrome Web Store.

However, still, officially only a few extensions are supported by Microsoft Edge as the installation of all these extensions for the first will seem to be a bit complex. Users need to enable 'allow extensions' from other stores via the settings page. On attempting to do that, Microsoft warns that it doesn't verify extensions downloaded from third-party stores and cautions that doing the same may cause performance issues in Edge. Then it suggests users get verified extensions from Microsoft Edge add-ons site. As soon as the users allow extensions by clicking on 'Allow', they will be able to add extensions to Edge from Chrome Web Store.

Google Chrome Extension, Shitcoin Wallet found stealing passwords and crypto-wallet keys


MyCrypto platform reported that Shitcoin Wallet, a Google Chrome extension was injecting JavaScript code on web pages, in order to steal passwords and keys from cryptocurrency wallets.


The extension, Shitcoin Wallet, Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn, was launched last month on December 9. With Shitcoin Wallet, users managed their Ether (ETH) coins, and Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings) either from the browser or by installing a desktop app.

Malicious Behavior with the extension

Harry Denley, Director of Security at the MyCrypto platform, discovered that the chrome extension isn't what it promises to be. He found malicious code within the extension. In a blog, ZDNet reported that "According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. "

 Danley, said that the extension traffics all the keys on its system to a third party website at erc20wallet[.]tk.

 The malicious code works by the following process

1. The user installs the chrome extension Shitcoin Wallet.
2. The extension request permission to inject the malicious JavaScript code to 77 websites.
3. If the user navigates to any of these 77 websites, it injects an additional code.
4. The code activates on five websites: MyEtherWallet.com, Index. Market, Binance.org, NeoTracker.io, and Switcheo.exchange
5. After activation, the code saves the user's login credentials, keys, and other data then siphon it to a third party.

It is not constructively clear yet if the Shitcoin Wallet team is responsible for the malicious behavior or a third party infiltrated the extension. The Shitcoin Wallet team is silent on the allegations and has yet to give any comments on the matter.

Desktop App

Both 32-bit and 64-bit installers are available for the user to download on the extension's official website. VirusTotal, a website that aggregates the virus scanning engines of several antivirus software makers, showed that both versions were clean. But on a warning note, the desktop app may contain the code or something even worse.

Google Releases Chrome 79, Warns Users of Data Breach


Tech giant Google has issued warning of data leak for Indian and global users, after fixing Chrome 79 bug and re-issuing it later this week. Users were being sent notifications by the company via affected websites– through the means of pop-up alerts that started to appear on desktops, mobile phone screens and laptop screens; it forced users into reading the text which said that their passwords may have been exposed and hence they should change it immediately – "Change your password. A data breach on a site or app exposed your password. Chrome recommends changing your password for the site," the warning pop-up read.

As per sources, a bug affected data in select Android applications and Google had put on hold the release of Chrome 79. It was finally this week, Google's Chrome Releases blog confirmed the rollout of Chrome 79 for desktop and mobile platforms; Chrome 79 (79.0.3945.93) for Android comes with a fix for the WebView flaw and an assurance of improved defense against issues revolving around password protection of users.

According to the reports by media, the fix, "Resolves an issue in WebView where some users' app data was not visible within those apps. The app data was not lost and will be made visible in apps with this update."

WebView is a feature which is employed by various third-party applications to open a webpage, it ensures rendering of webpages within applications. However, here, Google Chrome is solely responsible for loading the content. PhoneGap and Twitter Lite are two apps that employ WebView functionality, as per AndroidPolice.

There have been various instances recorded in regard of the matter, nationally and globally, one such incident had a user trying to log into an e-commerce platform named 'Freshtohome' to shop fresh and chemical-free seafood as he received a pop-up warning him about the issue and advising to change his password.

In a similar manner, when one of India's media houses attempted to log into their portal, were faced with disruption and warnings began to pop-up onto the screen advising them the same.

In a public statement issued on Google threads, a Chromium engineer explains, "We are currently discussing the correct strategy for resolving this issue which will be one of: a) continue the migration, moving the missed files into their new locations. b) revert the change by moving migrated files to their old locations. We will let you know which of these two options have been chosen soon."

Google Chrome under Threat of Cyberattack as Zero-Day Exploit surfaces


As if it wasn't spooky enough on Halloween night, the Google Chrome technicians were further frightened to announce a critical update notification regarding various browser platforms. Then, what gave Chrome the creeps? Two security vulnerabilities were discovered, out of which one is a Zero-Day exploit in the open!


So, what is the whole story? 

According to Google, "the current Chrome browser (desktop version) is being refreshed to 78.0.3904.87 (a new version) throughout various platforms like Mac, Linux, and Windows. The critical update will begin to work soon. The chrome users are highly suggested to add these updates for safety, unlike the Windows 10 security updates (in which the users were told not to)." In the present time, it is not simple to obtain out any particular information about the two exploits involved, except that the Zero-Day exploit is already out in the wild affecting the update.
"Access to flaws and links can be restrained until most of the users are renewed with a solution. The constraints are also said to be kept under hold until the bug that exists (only if) within other party's archives on which alike projects are depending," justifies Google for the actions taken.

About the Zero-Day Exploit- 

The vulnerability is known as CVE-2019-13720, according to Google. The threat was described on October 29 by Anton Ivanov and Alexey Kulaev, researchers at Kaspersky. "As far as we know, the Chrome update by Google directs loopholes that an intruder could misuse to hack an exploited computer if wanted," said Infrastructure Security Agency (CISA) and U.S. Department of Homeland Security Cybersecurity, in a statement.

Both the vulnerabilities misuse memory exploitation to intensify chances on the engaged computer. The CVE-2019-13721 vulnerability affects the PDFium library which is responsible for creating PDF files. But it is the latter, CVE-2019-13720, which is said to be misused in open which has an impact on audio components and Google Chrome. "Luckily, the threat is not very severe as Google has promptly recognized the flaws. The chances of any real damage in the' Zero-Day room' are least" says Mike Thomspon, applications security specialist.

New Security Flaw in Google's Chrome Browser Lets Hackers Access Sensitive User Data



Hackers are always finding new ways to exploit bugs and compromise sensitive user data, a recently discovered flaw in Google Chrome which could lead to arbitrary code execution, allows attackers to view, edit or even delete confidential data.

The vulnerability in the browser was initially reported by the Centre for Internet Security (CIS) and it could have allowed hackers to execute arbitrary code in the context of the browser. In order to keep the flaw in check, Google Chrome released an immediate update for its users round the globe.

In the upcoming week, Google will be releasing patches for Mac, Windows and Linux, as per the reports. However, the older versions of the search engine, which are the versions before 76.0.3809.132 are prone to attack.

To be on a safe side, users are advised to have their browsers updated and be aware of suspicious websites. The report also recommends users to avoid following the hyperlinks from unknown sources.

“A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” Reads the report.

Google now pays more for disclosing vulnerabilities in Chrome OS and some Play Store apps

One of the hardest aspects of maintaining a cross-platform product is ensuring its security. Vulnerabilities can be exploited on various platforms in various scenarios, and it’s almost impossible for literally any company’s security department to fix all of them on their own. That’s why companies often use vulnerability disclosure rewards programs, which basically means giving money to someone who finds an issue in your product. Google has several programs of this kind. One of them is the Chrome Vulnerability Rewards Program, which awards security researchers for exploiting vulnerabilities in Chromium, Chrome, and Chrome OS. As you already know, there are a lot of Chromium-based browsers on the market, so the security of this product is crucial.

Today, Google is increasing the minimum rewarding amount for this program. Currently, security researchers receive a maximum amount of $5,000 on baseline reports. These exploits are mostly around escaping the sandboxing. Google is tripling the amount of reward for high severity baseline reward, bringing it up to $15,000. The price of high-quality reports with functional exploits of the same category got doubled. Previously it was $15,000, but after today Google will pay $30,000 for these kinds of exploits. Google is also increasing the bonus from $500 to $1,000 for exploits found via Chrome Fuzzer, which lets security researchers use Google’s hardware and scale to replicate the exploits.

The Google Play Security Reward Program got an update, too. This program only covers apps that have specifically opted-in.

- The reward for remote code execution bug went from $5,000 to $20,000
- The reward for theft of insecure private data went from $1,000 to $3,000
- The reward for accessing protected app components went from $1,000 to $3,000

To put it in short, Google decided to show more appreciation for all the security researchers that help ensure the security of their product. The changes will go into action today. You can start looking for vulnerabilities if you are competent enough. Maybe you’ll get some reward from Google.

Phishing Scam Disguised As Some of Victims' Most-Trusted Websites Hits Google Chrome's Mobile Browser




A shockingly simple however convincing phishing scam has struck Google Chrome's mobile browser, camouflaged as some of the victim' most-confided in and trusted sites.

Being alluded to as the 'Inception Bar' it has targeted on the Android mobile users for Chrome by utilizing a 'fake address'  bar that not just shows the name of a real site, yet in addition a SSL badge - used to confirm a site's authencity - demonstrating that the said page is protected.

This 'Initiation Bar' is basically a webpage inside a webpage where regardless of whether a user endeavors to scroll back up the top of the page to get to the address bar; they're constrained down, caught in the fake page.

As indicated by developer Jim Fisher, who posted about the endeavor on his own blog, hackers can utilize a blend of coding and screenshots to trap exploited people into surrendering their private information.

Fisher even exhibited that he had the capacity to change the displayed URL of his own site to that of HSBC Bank.




This trick is valuable especially for scammers who endeavor to cover a pernicious website page as a genuine one and steal significant data from uses like passwords and credit card information.

With some additional coding, Fisher says that the trick could be made increasingly advanced, by simply making the fake bar intuitive.

While his demo was done on Google Chrome, the trick would possibly influence different browsers with comparative highlights.

In any case Google has proceeded to introduce a rather large group of new security feature that explicitly targets phishing including forbidding embedded browsers and different highlights that notify users when they're perusing a 'potentially harmful' website.

Google Warns Users to Update Their Browser Immediately Due To a Disruptive Bug




A security breach revealed by hackers on the desktop version of Chrome has driven Google into warning its users to update Chrome as soon as they can or risk having their system 'hijacked'.

A part of Chrome called FileReader is supposedly thought to have been connected with the exploit, as it clearly lets software incorporated into websites access the information stored on the user's computer.

Being the most commonly utilized internet browser on the planet, with in excess of approximately two billion active users, the search giant is quite guarded about the details of the manner in which the exploit operates so as to keep the copycat hackers from utilizing comparable methods to attempt and break into user's accounts.

The fact that the security risk 'CVE-2019-5786' wasn't identified by Google in the first place accordingly implies that Chrome browsers were 'actively under attack  ' even before a fix could be released for the users, which thusly on the other hand gave hackers a 'head start' and left the user's systems at high risk even before an update is installed.

Google's lead security engineer Justin Schuh writing on Twitter, warned users: 'Seriously update your Chrome installs... like right this minute.'  Adding later that ‘unlike previous bugs found in Chrome which have targeted third-party software linked to the browser, this bug targeted Chrome code directly. 

Therefore he says that it is 'worth' cautioning user's all the more freely as the fix expects them to make the additional stride of manually restarting the browser after the update to invalidate the exploit had been downloaded.

‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix, we will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.’ says Google.

Chrome Zero-Day Attack; Google Advises to Update Immediately!




Chrome releases its latest version and the researchers request all the users to immediately update their versions of the famous browser.

The latest version is 72.0.3626.121 and was released in the very beginning of March 2019.

All that needs to be done to upgrade the older version is, type the specific URL chrome://settings/help which will inform the user what version is currently on.

All these alarm signs are blaring because of a recent zero-day security vulnerability that has emerged.

CVE-2019-5786 has been identified as the vulnerability and Google says it’s aware of it and hence is warning off its users.

A vulnerability happens to be a bug which corrupts the software in a way which reduces security. Whereas, an exploit is just a way of using the vulnerability to get past the security provisions.

All the vulnerabilities pose a threat to the system even if it means producing thousands of unwanted messages.

All exploits emerge from vulnerabilities but all vulnerabilities are not a fruit of exploits.

If made to work the malicious way, vulnerabilities could be forced to do a lot more than just creating error messages.

Zero-day is a vulnerability that the cyber-cons found a way to misuse before the researchers could find an appropriate solution for it.

Meaning that a Zero-day is an attack of which even the best researchers can’t find the solutions.

These attacks are usually found out weeks or even months later they start functioning on the network.

The bug is trying to be fixed by Google and restrictions are being retained until the bug exists.

The vulnerability includes a memory mismanagement bug in a part of Chrome by the name of “FileReader”.

This “FileReader” aids the web developers in springing up menus and dialogs.

The attacker could take control of a lot when it comes to this particular bug. It’s not just restricted to reading from files and goes far as “Remote Code Execution”.

Meaning, any malware could be implanted onto the victim’s system without any warning, pop-up or dialog.

All that could be done to save your system is keeping systems up-to-date at all times.

Also, always keep checking for updates and patches to fix vulnerabilities.

Security experts exploit Google Chrome Zero-day using malicious PDF



Security researchers have found a new malicious PDF  that could be easily exploited by the Google Chrome zero-day flaw when victims using Chrome as a local PDF viewer.

Attackers are exploiting the Chrome zero-day vulnerability to track the users and collect the personal information of the users when they open this malicious PDF in chrome browser.

The security experts at EdgeSpot were the first one to spot a flaw in PDF when it is opened via Chrome browser locally, but it has no malicious activities when it opened popular Adobe Reader.

The engine detected as  “POTENTIAL ZERO-DAY ATTACK (Google Chrome), PERSONAL INFORMATION LEAKAGE.

The researchers at Edgespot found that HTTP packet is collecting information of the user by the malicious sender:


  • The public IP address of the user.
  • OS, Chrome version etc (in HTTP POST header).
  • The full path of the PDF file on a user’s computer (in HTTP POST payload).


The users are suggested to use alternative PDF reader application for viewing the PDF until the Chrome issue is fixed, or you can switch off the internet while using Chrome to view PDF documents.