Security News

The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, researchers say. The flaw has been fixed in the Chrome 85 stable channel, set to be rolled out to users this week.

Google is working on improving the security of Chrome users by alerting them when filling out forms on secure pages that are delivered insecurely. Chrome versions prior to 86 mark mixed forms by removing the lock icon from the address bar.

Entering information into and submitting it through insecure online forms will come with very explicit warnings in the upcoming Chrome 86, Google has announced. "Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms," Shweta Panditrao, a software engineer with the Chrome Security Team, explained.

Google announced on Wednesday that it's preparing to run an experiment in Chrome 86 as part of its fight against URL spoofing. Research conducted recently by Google and the University of Illinois at Urbana-Champaign showed that 60 percent of users were tricked when a URL path contained a misleading brand name.

Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty. This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE, the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy rules since Chrome 73. Tracked as CVE-2020-6519, the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites.

The bug is found in Chrome, Opera and Edge, on Windows, Mac and Android - potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. CSP allows web admins to specify the domains that a browser should consider to be valid sources of executable scripts.

Google's Chrome Web Store is once again under fire for poor policing of harmful extensions. The bad extensions consist of fake ad blockers that inject adverts into search results rather than blocking them, fake ad blockers that engage in cookie stuffing to defraud advertisers, and extensions involved in spam-related abuse.

Google this week announced a series of security and ease-of-use improvements for the Autofill feature in Chrome. "Biometric authentication is optional. You can choose to confirm your card with its CVC and you can also turn this feature on and off in Chrome Settings at any time," Google explains.

A handful of Chrome users have sued Google, accusing the browser maker of collecting personal information despite their decision not to sync data stored in Chrome with a Google Account. The lawsuit [PDF], filed on Monday in a US federal district court in San Jose, California, claimed Google promises not to collect personal information from Chrome users who choose not to sync their browser data with a Google Account but does so anyway.