Security News

Google's Chrome Web Store is once again under fire for poor policing of harmful extensions. The bad extensions consist of fake ad blockers that inject adverts into search results rather than blocking them, fake ad blockers that engage in cookie stuffing to defraud advertisers, and extensions involved in spam-related abuse.

Google this week announced a series of security and ease-of-use improvements for the Autofill feature in Chrome. "Biometric authentication is optional. You can choose to confirm your card with its CVC and you can also turn this feature on and off in Chrome Settings at any time," Google explains.

A handful of Chrome users have sued Google, accusing the browser maker of collecting personal information despite their decision not to sync data stored in Chrome with a Google Account. The lawsuit [PDF], filed on Monday in a US federal district court in San Jose, California, claimed Google promises not to collect personal information from Chrome users who choose not to sync their browser data with a Google Account but does so anyway.

Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change. The release of Chrome 84 resumes the gradual rollout of the protection.

Cisco's Talos threat intelligence and research group this week disclosed the details of recently patched vulnerabilities affecting the Chrome and Firefox web browsers. The Chrome flaw, tracked as CVE-2020-6463 and classified as high severity with a CVSS score of 8.8, was patched by Google in April with the release of Chrome 81.0.4044.122.

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "Massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them.

Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals. Over the past three months, Awake identified 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages.

Lindsey: Yeah, it kind of does put into question Google's kind of its policies and how it is able to use automated and manual analyses of different extensions, just because, you know, as you mentioned, we have, 106 Chrome browser extensions in question here. As Tom pointed out, maybe some of those devices have, you know, Google Chrome extensions that are malicious.

Google removed 106 Chrome browser extensions Thursday from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data. The attackers used the Google Chrome browser extensions to not only steal data, but also to create persistent footholds on corporate networks.