Security News

Facebook has taken legal action against the makers of malicious Chrome extensions used for scraping user-profiles and other information from Facebook's website and from users' systems without authorization. After being installed on the users' computers, these Chrome extensions also installed malicious code in the background which allowed the defendants to scrape user data from Facebook's site.

Makers of the Chrome, Firefox and Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software. The Mozilla Firefox vulnerability is separate from a bug reported in Google's browser engine Chromium, which is used in the Google Chrome browser and Microsoft's latest version of its Edge browser.

An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities.

Back in November, 2020, netizens warned that a Chrome extension called The Great Suspender may be malicious. The Register understands that the unidentified maintainer of the project subsequently resubmitted the extension without the suspicious behavior that had been cited in a GitHub issues post.

HTTPS, as you probably know, stands for secure HTTP, and it's a cryptographic process - a cybersecurity dance, if you like - that your browser performs with a web server when it connects, improving privacy and security by agreeing to encrypt the data that goes back and forth. Why is HTTP still the default choice of your browser if you type an URL into the address bar and don't explicitly put https:// at the start?

Google Chrome has fixed a bug that enabled antivirus programs on Windows 10 to lock newly created files. The patching of the bug means antivirus programs running on Windows would no longer block new files generated by the Chrome web browser, such as bookmarks.

Google is experimenting with increased storage for the browser cache to reduce the performance hit caused by the recently added partitioned cache feature. To prevent these side-channel attacks, Google added a new feature to Chrome 85 that partitions the browser's disk cache so that each site utilizes its own cache that cannot be read by other sites.

Google has disabled a feature that displays a warning when submitting insecure forms after receiving many complaints from users and website administrators. Google has been focusing on removing mixed-content in Google Chrome, when a secure page loads content from an insecure URL. As part of this initiative, Google rolled out a new feature in Chrome 86 that warns users when submitting insecure forms from a secure page to an insecure URL. Submitting an insecure form would display a warning about the risks of doing so and asks the user if they wish to continue submitting the information.

Malware hidden in 28 third-party extensions for Google Chrome and Microsoft Edge redirects users to ads or phishing sites, Avast warned this week. These extensions were designed to redirect users to other websites.

Malicious Chrome and Edge browser extensions with over 3 million installs, most of them still available on the Chrome Web Store and the Microsoft Edge Add-ons portal, are capable of stealing users' info and redirecting them to phishing sites. While Avast spotted the extensions in November 2020, they estimate that they could have been used for malicious purposes for years given that some Chrome Web Store reviewers have reported link hijacking starting with December 2018.