Security News

Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store. This led them to a bunch of malicious browser extensions, 111 in total, which "Were found to upload sensitive data or not perform the task they're advertised to perform. A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload. Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity. Another popular approach is to clone a genuine extension and bundle it with malware."Awake has since worked with Google to take down these extensions from the Chrome Web Store," said the report, but no doubt more are on the way.

Google announced on Thursday that it's taking action against misleading and malicious notifications in Chrome with the release of version 84, which is scheduled for July 14. Google classifies abusive notifications as permission request issues, which trick or force users into allowing notifications, and notification issues, which are fake messages that mimic chats, system dialogs or warnings.

"In particular, the page can know which section of text was found using find-in-page, fragment navigation, and scroll-to-text navigation," the documentation says, adding that developers could also glean information about what the user navigated to - via scroll-to-text navigation, or typed into a find-in-page search box - based on which section of the page receives an event. The privacy risk of beforematch is not that of key logging - recording exactly what a web page user typed into a search dialog.

"In particular, the page can know which section of text was found using find-in-page, fragment navigation, and scroll-to-text navigation," the documentation says, adding that developers could also glean information about what the user navigated to - via scroll-to-text navigation, or typed into a find-in-page search box - based on which section of the page receives an event. The privacy risk of beforematch is not that of key logging - recording exactly what a web page user typed into a search dialog.

After delays to Chrome version 81 in March, and the scrapping of version 82 a month later, this week sees the early arrival of Chrome 83 with a longer list of new security features than originally planned. First, it's not turned on by default, and might not even be visible under Settings > Privacy and security > Advanced.

Google this week released Chrome 83 to the stable channel with patches for a total of 38 vulnerabilities, with improved Safe Browsing protection, and updated privacy and security controls. The newly introduced Enhanced Safe Browsing protection in Chrome is meant to provide users with a more advanced level of security while browsing the web, by increasing protection from dangerous websites and downloads.

Google has released version 83 of it's popular Chrome web browser, which includes new security and privacy features and fixes for security issues. The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after Harry Denley, director of security at MyCrypto, found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users' private keys and other secrets used to access digital wallets so that their authors can steal victims' funds.

Three weeks after Google removed 49 Chrome extensions from its browser's software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted - and some are still available to download. The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks. Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Developers use a number of ways to breed extensions like a bunch of spam bunnies in Google's Chrome Web Store, which is the biggest extension catalog online. User Ratings, Reviews, and Installs: Developers are forbidden from manipulating their extensions' placement in the Chrome Web Store by doing things like cooking up bogus downloads, reviews or ratings.