Security News
Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers. The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations.
Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers. The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations.
Google has announced a timetable for phasing out insecure file downloads in the Chrome browser, starting with desktop version 81 due out next month. Known in jargon as 'mixed content downloads', these are files such as software executables, documents and media files offered from secure HTTPS websites over insecure HTTP connections.
Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP. "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a Twitter thread. "An eavesdropper can see what a user is downloading, or an active attacker can swap the download for a malicious one." "We hope to stop all unsafe downloads, but Chrome doesn't currently tell users on HTTPS pages that their downloads are insecure. That's weird! Users expect that what they do on secure pages to be... well secure! So we're blocking these downloads first."
In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced. The announcement comes just days after the release of Chrome 80, which by default blocks mixed audio and video resources if they cannot be automatically upgraded to HTTPS. The same will happen with image files in Chrome 81, which is expected to be released to the stable channel in March 2020.
Google Chrome will soon restrict certain files, like PDFs or executables, from being downloaded via an HTTP connection, if they are loaded on HTTPS webpages. With Chrome 68's 2018 release, Google started to label HTTP websites with an "Insecure" warning label in the navigation bar.
Version 80 of the Chrome browser is out with some new features designed to save your security and your sanity. The first is the first-party site that you are visiting, which needs those cookies for things like logging you back in automatically.
Google this week released Chrome 80 to the stable channel with 56 vulnerability patches and various other improvements to user security. To better protect from cross-site request forgery attacks, Chrome 80 will enforce a new secure-by-default cookie classification system, where only cookies set as SameSite=None; Secure will be available in third-party contexts, as long as they are accessed from secure connections.
Chrome 80 emerged from Google this week with a few more nails to hammer into the coffin of the venerable File Transfer Protocol. It has been a death by a thousand cuts for FTP in Chrome.
Google is potentially facing a massive privacy and GDPR row over Chrome sending per-installation ID numbers to the mothership. "This Chrome-Variations header will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation," Google explains in a paper describing Chrome capabilities.